Back to skill

Security audit

Logo Svg Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent logo-generation workflow that writes local design files and uses a vision-capable LLM for review, with no evidence of hidden or destructive behavior.

Install only if you are comfortable with generated logo assets and brief details being saved locally under output/<slug>/ and, by default, shared with a vision-capable LLM for review. For confidential unreleased branding, use an approved model/workspace or the explicit structural-only/no-review path and perform human review yourself.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The skill presents vision review as a hard safety/quality gate, but elsewhere allows users or callers to bypass it for speed. That inconsistency can cause downstream agents to skip the review loop silently or too casually, reducing assurance about output quality and violating user expectations about how the skill operates.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill writes generated assets, review sheets, and history artifacts to local output directories, but the top-level description does not prominently disclose this behavior. In environments handling sensitive briefs, users may unintentionally persist confidential branding concepts or product names to disk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow sends the rendered logo and associated brief context to a vision-capable LLM for review, but this external data flow is not clearly disclosed up front. If users provide confidential product names, unreleased branding, or strategy hints, that information may be transmitted to a third-party model without informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.