Capacitor

Security checks across malware telemetry and agentic risk

Overview

This is a Capacitor development reference skill with disclosed commands for installs, builds, live updates, and publishing, not an executable package that runs those actions on its own.

Install this if you want a Capacitor reference skill. Before allowing an agent to run examples, review project-changing commands, cloud login, CI token use, live update uploads, native builds, and app store deployment actions. For OTA live updates, use staged rollout, rollback, audit logging, integrity checks or signed bundles, and clear limits on changing security-sensitive app behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill promotes OTA live updates and immediate delivery of web code changes, but it does not warn that this bypasses normal app store review/update expectations and can materially change app behavior after installation. In a mobile app context, that omission can lead developers to ship powerful remote code/content update mechanisms without user disclosure, policy review, rollback controls, or integrity safeguards.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal