ClawHub

Vizboard

Security checks across malware telemetry and agentic risk

Overview

The skill’s visual HTML features are coherent, but its instructions also read private context, modify files, launch a browser, and use external services in ways that are broader than a user would expect.

Review before installing. Use this only if you are comfortable with a visualization skill reading prior-session or memory files, inspecting git history, saving HTML under your home directory, opening a browser, and loading third-party network resources. Prefer a fork or update that restricts inputs to the current task, asks before any file overwrite or browser launch, disables external image generation by default, and uses bundled/local libraries for exported HTML.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (24)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The prompt explicitly instructs the agent to mine conversation history and per-user memory/progress files to reconstruct rationale, which exceeds the stated purpose of generating a visual diff review. That creates a real risk of collecting and exposing sensitive prior-session or unrelated user context in the generated output, especially because the instruction encourages broad retrieval rather than minimal, task-scoped access.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The optional `surf gemini --generate-image` step invokes an external tool/service unrelated to core diff analysis, potentially sending repository-derived concepts or sensitive implementation details outside the local environment. Even if framed as optional, it expands data exposure and tool execution surface beyond what users would reasonably expect from an HTML visualization skill.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The prompt directs the agent to write artifacts to a fixed path in the user's home directory and open them in a browser, which goes beyond content generation into persistent filesystem modification and launching local applications. This can surprise users, create unwanted residual files, and trigger unintended rendering of sensitive code summaries in a browser context without consent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The prompt expands a visualization/dashboard skill into a general fact-checking and repository inspection tool by directing it to read arbitrary codebase files and interrogate git history. This violates least privilege and creates capability drift: a user invoking an apparently presentation-focused skill could trigger broader data access than the skill's stated purpose implies.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The prompt instructs direct in-place correction of arbitrary documents, which is outside the declared purpose of generating self-contained HTML dashboards and visual pages. This grants the skill write-like transformation behavior over user files without being transparently represented in the skill metadata, increasing the risk of unintended content tampering or destructive edits.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Git-history interrogation is not justified by the skill's visualization-focused description and enables access to potentially sensitive historical metadata, diffs, and prior file contents. In context, this broadens the skill from rendering visual artifacts to repository forensics, which may expose information users did not expect this skill to inspect.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The prompt expands the skill from local HTML generation into invoking an external AI/image-generation CLI, which introduces unnecessary tool usage, additional data flow, and possible network or third-party exposure. Because the generated image is based on user/task content and then embedded into the output, sensitive prompt material could be sent outside the expected rendering path without explicit consent.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The prompt authorizes invoking an external CLI (`surf gemini --generate-image`) based on environment availability, even though the skill's core purpose is HTML plan-review generation. This expands the skill's execution surface to a separate tool and potentially remote model/service without explicit user consent, input/output constraints, or data-handling boundaries, creating unnecessary command-execution and data-exfiltration risk.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The prompt explicitly instructs the agent to mine conversation history and read external memory locations under the user's home directory to build the recap. That expands data access beyond the core purpose of generating a visual dashboard from the project itself and can pull in unrelated, sensitive, or stale context without clear user consent.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The prompt conditionally invokes an external image-generation CLI (`surf gemini`) that is not necessary for core recap rendering. Calling extra tools increases attack surface, may transmit project-derived prompts or metadata to third-party services, and can cause side effects outside the declared skill scope.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The prompt directs the agent to write generated output to a fixed location in the user's home directory and open it in a browser. This exceeds passive content generation, creates persistent artifacts outside the project, and triggers an external application without an explicit confirmation step.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The template advertises self-contained HTML, but it pulls Google Fonts from external hosts. That breaks the self-contained guarantee and causes runtime network access, which can leak viewer metadata and fail in offline or restricted environments. In this skill context, that mismatch is more concerning because downstream agents may rely on the manifest promise when choosing this template for isolated or review-sensitive use cases.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The page imports Mermaid and the ELK layout engine from jsDelivr at runtime, so the output is not self-contained and executes third-party code fetched over the network. This creates supply-chain and integrity risk in addition to violating the advertised behavior of the skill. In this context, a visualization skill generating shareable HTML makes that more dangerous because recipients may open the file assuming it is standalone and locally safe.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to create, copy, and delete files in local and workspace locations without any disclosure or user confirmation. In an agent environment, silent filesystem modification can surprise users, overwrite existing files, or leave transient artifacts in shared workspaces, especially because the workflow is mandatory and automatic.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Writing to a user directory and opening a browser without warning or confirmation is an unsafe side effect for a skill whose description centers on generating visual pages. The lack of consent makes this behavior more dangerous because users may not realize files are being persisted or that local applications will be launched automatically.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs access to per-user memory and progress files without any privacy notice, consent flow, or scoping restrictions. Because these locations may contain sensitive notes, plans, or prior context unrelated to the current review, silent access materially increases privacy and data-minimization risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The prompt tells the agent to write corrections back to the original file using surgical replacements, but it provides no requirement for confirmation, backup, or dry-run preview. That creates a tangible integrity risk: legitimate documents can be silently overwritten, and mistakes in claim extraction or verification can corrupt user content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs writing output into a persistent directory in the user's home folder and opening it automatically, without any warning or confirmation. This can create unwanted persistent artifacts and trigger browser rendering of generated content, which is especially risky if the HTML includes untrusted user-derived content or active elements.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instruction to write output to `~/.agent/diagrams/` and open it in a browser causes persistent filesystem changes and launches a local application without warning or confirmation. That is risky because the generated HTML is derived from repository and plan content and could expose sensitive information locally, surprise the user, or trigger browser rendering of untrusted active content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Writing HTML to disk and opening it in a browser without warning is a side-effectful action that the user may not expect from a visualization skill. Because the generated page may embed repository-derived content, opening it automatically can expose local data in a rendered context and normalizes undisclosed execution behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file explicitly instructs consumers to load Mermaid, ELK, Chart.js, anime.js, and Google Fonts from third-party CDNs, but it does not warn about the security, privacy, and reliability implications of doing so. In a skill that generates self-contained HTML, these recommendations can cause outbound requests, expose viewer metadata to third parties, and introduce supply-chain risk if CDN content changes or is compromised.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The template loads Google Fonts from third-party domains without any in-file disclosure to users that opening the HTML will make external requests. This can expose IP address, user agent, and access timing to external services and may violate expectations for a supposedly self-contained artifact. The skill context increases risk because users may share generated dashboards broadly and assume no external communication occurs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The module imports fetch and execute remote JavaScript from external CDNs without warning the user. That is a real supply-chain exposure: if the CDN, package, or transit path is compromised, opening the generated page can run attacker-controlled code in the viewer's browser context. Because this skill is intended to emit reusable HTML artifacts, undisclosed remote execution is more dangerous than in a normal web app where users expect hosted assets.

Ssd 3

Medium
Confidence
98% confidence
Finding
Mining conversation history and local memory/progress files for prior reasoning can leak sensitive user-provided context, credentials, internal plans, or unrelated project details into the generated diff review. In this skill's context, the danger is elevated because the resulting HTML is meant for presentation and may be shared broadly, turning over-collection into downstream data disclosure.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal