Back to skill

Security audit

Pulse Editor Vibe Coding APIs

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Pulse Editor API helper that sends app prompts to Pulse Editor and may publish generated apps, with no evidence of hidden or destructive behavior.

Install only if you trust Pulse Editor and the publisher. Use a scoped API key or credential manager, avoid placing secrets or regulated data in prompts, and confirm before updating an existing app or publishing a live generated app.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly instructs use of environment variables and outbound network access, but the metadata does not declare those permissions. Undeclared capabilities reduce transparency and informed consent for users and agents, making it easier to exfiltrate prompts, credentials, or generated code without an explicit permission boundary.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill promotes sending prompts and app-generation content to a third-party cloud service and states that apps are automatically built and published, but it does not present this as a prominent privacy and deployment warning. Users may unknowingly transmit sensitive source code, business logic, or secrets to an external service and trigger public or semi-public publication of generated artifacts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.