Chart Generator (Alex)

Security checks across malware telemetry and agentic risk

Overview

This looks like a normal chart-generation skill that writes requested chart outputs locally, with no evidence of network exfiltration or hidden privileged behavior.

Install only if you want a local chart generator. When using file-generating commands, specify the output path and avoid feeding sensitive datasets unless you are comfortable storing the resulting chart files locally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 74% confidence
Finding: Overly broad trigger terms like 'chart' and 'graph' can cause unintended invocation of the skill in contexts where the user did not intend to run a file-writing or command-backed tool. In agent ecosystems, accidental activation can lead to unnecessary file creation, exposure of user data to the tool pipeline, or confusing execution of the wrong capability.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The skill documents HTML/SVG file generation but does not prominently warn users that running certain commands will write files to disk. In an agent setting, silent file creation can surprise users, overwrite expected locations, or violate execution expectations, especially if output paths are agent-chosen or defaulted.

VirusTotal

No VirusTotal findings

View on VirusTotal