Ionic App Development

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Ionic development skill; the main caution is that some optional device-testing commands expose a dev server to the local network.

Safe to install as a reference skill. Before following setup commands, confirm you trust the @ionic/cli npm package, and use --external or live reload only temporarily on trusted networks because it can expose your dev server to other local devices.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The skill recommends `ionic serve --external` for device testing, which binds the development server to all network interfaces, but it does not warn that this increases exposure to other devices on the same local network. While this is common developer guidance and not inherently malicious, dev servers often expose debugging features, source maps, and in-progress application state that should not be broadly reachable.

Missing User Warnings

Low

Confidence: 95% confidence
Finding: The live-reload device testing instructions use `npx cap run android --livereload --external` and `npx cap run ios --livereload --external` without explaining that this exposes the development server beyond localhost. In a development context this is a relatively low-severity issue, but on shared or untrusted networks it can allow nearby systems to access the app under development and any associated debug functionality.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal