CAD Viewer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real CAD analysis skill, but it needs review because it can run privileged setup, download third-party CAD tools, and persist project-local learning files.

Install only if you are comfortable with a CAD tool that may run external renderers and, during explicit setup, use sudo and download third-party CAD binaries. Prefer manual setup or a VM/container, review `scripts/setup.sh` before running it, and disable or inspect `.learning/` files for sensitive projects.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (25)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: command.extend(["-o", output_path, dwg_path]) try: result = subprocess.run(command, capture_output=True, text=True, timeout=120) if os.path.exists(output_path): file_size = os.path.getsize(output_path) / 1024 print(json.dumps({
Confidence: 90% confidence
Finding: result = subprocess.run(command, capture_output=True, text=True, timeout=120)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill clearly expects shell execution, file reads, and environment inspection, but does not declare permissions accordingly. This creates a transparency and policy-enforcement gap: a caller may treat it as low-risk CAD analysis while it can invoke commands and inspect the local environment.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The stated purpose is CAD analysis, but the documented behavior extends to package installation, privileged system changes, external binary downloads, environment diagnostics, and PDF export. This mismatch is dangerous because users and orchestrators may authorize the skill for analysis tasks without realizing it can modify the system and fetch remote software.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The README presents the skill as a CAD analysis tool, but it also documents an installation path that can modify the host by downloading and installing external software and system packages. That broadens the trust boundary from passive file analysis to privileged system administration, which is risky for an auto-invoked agent skill because users may not expect host changes from this capability.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The documented setup flow performs automatic network downloads and installation of third-party software, which introduces supply-chain and privilege risks unrelated to simple CAD analysis. In an agent context, automatic retrieval and installation can be abused or unexpectedly executed on behalf of the user, especially if the skill is triggered broadly.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Repeated automatic downloading of QCAD releases expands the skill beyond CAD viewing into network-enabled software acquisition and execution preparation. This increases exposure to supply-chain compromise, version drift, and unreviewed binary installation, particularly dangerous when combined with setup automation and possible privileged execution.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The documentation says the skill does not automatically install packages, but later states first run auto-installs dependencies and writes a setup marker. Contradictory security claims are risky because they defeat informed consent and can cause operators to execute the skill under false assumptions about network, package, and privilege use.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The error-handling section promises no automatic installation, yet the notes section says first run installs dependencies automatically. This inconsistency increases the chance that the skill will perform unexpected system changes during routine use, including package installation and file creation.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: A persistent self-learning system that reads and writes project-level `.learning/` files is not necessary for CAD viewing and analysis. Adding cross-session memory broadens data access and retention, increasing the chance of collecting sensitive project details unrelated to the immediate task.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill expands from CAD analysis into generalized project memory and workflow tracking, which is outside the described scope. Scope creep is dangerous in agent skills because it normalizes additional file access and persistence that users did not request and may not expect.

Description-Behavior Mismatch

Medium

Confidence: 85% confidence
Finding: The skill includes host environment setup and dependency installation orchestration, which exceeds a normal CAD analysis role and increases the attack surface substantially. In an agent setting, a 'setup' action can modify the host, install third-party packages, and make trust decisions based on user input paths, creating a risky capability escalation path.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The skill invokes external host commands for rendering and tool usage, which is materially more dangerous than pure file parsing. In the CAD context this is especially sensitive because DWG/DXF files are complex and historically parser-heavy formats; handing untrusted drawings to external GUI/rendering utilities can trigger memory corruption or arbitrary code execution in those tools.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The auto-trigger condition is broad enough that ordinary discussion of DWG/DXF or CAD concepts could activate the skill unexpectedly. In an agent system, overbroad triggering is dangerous because it can cause unintended tool use, file handling, or setup suggestions in contexts where the user did not request operational actions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The file states that the skill performs automatic dependency installation and requires root/sudo on first run, but it does not prominently warn users about system modification, package installation, or the trust boundary introduced by external installers. In an agent skill context, silent or insufficiently disclosed privileged setup is dangerous because it can lead to unexpected host changes and increases the blast radius if the install path or downloaded components are compromised.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The warnings around automatic setup and marker-file creation are contradictory and incomplete, which can mislead users about when the skill writes files or changes the environment. Poorly disclosed side effects are security-relevant because they undermine consent and operational review.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The `texts` command extracts and prints all text, MTEXT, and block attribute content from CAD drawings, which can include names, addresses, device IDs, panel labels, credentials, or other sensitive design data. In a skill context, bulk extraction without an explicit warning, minimization, or consent control increases the risk of accidental data exfiltration and overexposure.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The skill instructs mandatory review of prior `.learning/` records at the start of every task, causing project information from earlier sessions to influence future responses. This creates unnecessary persistence and cross-session data exposure, especially problematic for sensitive engineering drawings and user preferences.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The logging rules direct the agent to store user corrections, preferences, errors, and insights in plain-language local files. This broad data collection can accumulate sensitive operational context over time and may expose information beyond what is needed for CAD analysis.

Unrestricted Tool Access

Medium

Category: Excessive Agency
Content: - The `{SKILL_DIR}` placeholder refers to the directory containing this SKILL.md file - **First run may take 1-3 minutes** as the tool automatically installs all dependencies - After first setup, a marker file is created at `assets/.setup_done` to skip future setup - To re-run setup (e.g. after system update), delete `assets/.setup_done` and run any command - DWG files require ODA File Converter for reading; DXF files can be read directly - Screenshot quality is best with QCAD dwg2bmp; matplotlib is a reasonable fallback - Large drawings may take several seconds to load — this is normal for complex engineering files
Confidence: 84% confidence
Finding: run any command

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: - **OS**: Linux x86_64 (Ubuntu/Debian/RHEL/CentOS supported) - **Python**: 3.8+ (system installed, other deps auto-installed) - **Permissions**: root or sudo (required for installing system packages on first setup) > macOS / Windows not supported (ODA File Converter and QCAD are Linux x86_64 only)
Confidence: 95% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: **Permission errors on first run** setup.sh requires root permissions to install system packages. Please run as root or via sudo. **ODA automatic download fails**
Confidence: 95% confidence
Finding: run as root

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: **Permission errors on first run** setup.sh requires root permissions to install system packages. Please run as root or via sudo. **ODA automatic download fails**
Confidence: 95% confidence
Finding: requires root permissions

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: ## System Requirements - **OS**: Linux x86_64 (Ubuntu/Debian/RHEL/CentOS) - **Python**: 3.8+ - **Permissions**: root/sudo (required for installing system packages on first run) ## External Dependencies This Skill depends on the following external tools (auto-installed by setup.sh):
Confidence: 94% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: - **Python 3.8+** (system installed) - **Python packages**: `ezdxf` and `matplotlib` must be installed before use - **root/sudo permissions** (only if you choose to run automatic setup) - **x86_64 Linux system** ## Setup Options
Confidence: 90% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: pip3 install ezdxf matplotlib # 2. Install system packages (Ubuntu/Debian) sudo apt-get install xvfb libgl1-mesa-glx libglu1-mesa # 3. Download and install ODA File Converter manually from: # https://www.opendesign.com/guestfiles/oda_file_converter
Confidence: 91% confidence
Finding: sudo

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal