Security audit

Mind Map

Security checks across malware telemetry and agentic risk

Overview

This mind-map skill appears purpose-aligned overall, but it has under-disclosed automatic network font download and default persistence of user markdown that users should review before installing.

Install only if you are comfortable with the skill writing output files and possibly retaining your source markdown locally. Avoid using it with sensitive notes unless you control the output directory, and prefer an offline or patched version that uses bundled/system fonts instead of automatically downloading a font from GitHub.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill declares only Bash/Read/Write tools, but its documented behavior includes network access to download a font on first run. Undeclared network behavior reduces transparency and user consent, and creates supply-chain and privacy exposure because execution can contact remote infrastructure unexpectedly.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The stated purpose is simple PNG mind-map generation, but the skill also reads arbitrary local files, writes copies of user input to disk, and may download a font remotely. This mismatch is security-relevant because users may provide sensitive notes assuming only transient rendering, while the skill persists data and performs network activity outside the advertised scope.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill silently downloads a font from GitHub at runtime, which is behavior not implied by a simple local PNG-generation utility. Undeclared outbound network access expands the trust boundary, can leak environment metadata such as IP/network access patterns, and introduces supply-chain risk if the remote content changes or is tampered with.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The remote font download is not essential to the core task because the code already supports local system font fallbacks. Including unnecessary network capability in a content-rendering skill increases attack surface and creates a supply-chain dependency where a remote asset can affect local processing.

Missing User Warnings

Low

Confidence: 85% confidence
Finding: The markdown description omits that the skill may download a font and write generated artifacts, including saved markdown, to local storage. While not an exploit by itself, this is a real security transparency issue because users are not warned about persistence and outbound access before invocation.

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The reference states that the skill automatically downloads a font from a remote GitHub-hosted URL and writes it into a local cache on first run, but it does not clearly warn users that network access and disk writes will occur. This creates a transparency and supply-chain risk: users may unknowingly trigger outbound requests and persist unverified binary content locally, which is especially relevant in constrained or privacy-sensitive environments.

Missing User Warnings

Low

Confidence: 96% confidence
Finding: The documentation says the provided markdown input is saved into the output folder, but it does not clearly warn that user-supplied content will be persisted to disk by default. This can expose sensitive notes, prompts, or proprietary content if users expect a transient transformation rather than storage.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code downloads and caches executable-input-adjacent content (a font file parsed by Pillow/FreeType) from the network without warning the user. Silent retrieval of parser-consumed binary assets is risky because malformed or malicious fonts can trigger vulnerabilities in font parsing libraries, and the lack of disclosure prevents informed consent in restricted environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.