一键生成项目

Security checks across malware telemetry and agentic risk

Overview

This is a real one-click project generator, but it can automatically drop and recreate database tables and generates insecure demo-style authentication without enough safeguards.

Install only for local development or a disposable sandbox. Do not point it at a production or shared database; inspect init.sql first, use a restricted MySQL account, back up data, and change or remove the generated default-password authentication before exposing the app to any network.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (17)

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: ''' bat_path = backend_dir / 'start-backend.bat' bat_path.write_text(bat_content, encoding='gbk') os.system(f'start "" "{bat_path}"') print(f"{Colors.GREEN}[SUCCESS] 后端服务已在新窗口启动{Colors.RESET}") return True
Confidence: 88% confidence
Finding: os.system(f'start "" "{bat_path}"')

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: ''' bat_path = frontend_dir / 'start-frontend.bat' bat_path.write_text(bat_content, encoding='gbk') os.system(f'start "" "{bat_path}"') print(f"{Colors.GREEN}[SUCCESS] 前端服务已在新窗口启动{Colors.RESET}") time.sleep(5)
Confidence: 88% confidence
Finding: os.system(f'start "" "{bat_path}"')

subprocess module call

Medium

Category: Dangerous Code Execution
Content: return False try: result = subprocess.run(f'"{mvn_path}" clean package -DskipTests -q', cwd=backend_dir, shell=True, capture_output=True, timeout=300) if result.returncode == 0: print(f"{Colors.GREEN}[SUCCESS] 后端构建成功{Colors.RESET}")
Confidence: 93% confidence
Finding: result = subprocess.run(f'"{mvn_path}" clean package -DskipTests -q', cwd=backend_dir, shell=True, capture_output=True, timeout=300)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: return False try: result = subprocess.run(f'"{npm_path}" install', cwd=frontend_dir, shell=True, capture_output=True, timeout=180) if result.returncode == 0: print(f"{Colors.GREEN}[SUCCESS] 前端依赖安装成功{Colors.RESET}")
Confidence: 93% confidence
Finding: result = subprocess.run(f'"{npm_path}" install', cwd=frontend_dir, shell=True, capture_output=True, timeout=180)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: # 启动后端服务 cmd = f"start /B java -jar {jar_file} --server.port={self.backend_port}" subprocess.run(cmd, shell=True, cwd=backend_dir) print(f"{Colors.GREEN}✅ 后端服务已启动 (端口: {self.backend_port}){Colors.RESET}") return True
Confidence: 98% confidence
Finding: subprocess.run(cmd, shell=True, cwd=backend_dir)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: # 启动前端开发服务器 cmd = f"start /B npm run dev -- --port {self.frontend_port}" subprocess.run(cmd, shell=True, cwd=frontend_dir) print(f"{Colors.GREEN}✅ 前端服务已启动 (端口: {self.frontend_port}){Colors.RESET}") return True
Confidence: 94% confidence
Finding: subprocess.run(cmd, shell=True, cwd=frontend_dir)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill advertises and documents capabilities that imply file read/write, network access, and shell execution, but no permissions are declared. This creates a dangerous transparency and consent gap: users and policy systems cannot accurately evaluate that the skill can modify files, execute commands, access databases, install dependencies, and launch services/browser windows.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose does not match the described operational behavior: it claims full project generation while analysis indicates the script may only deploy/start an existing project and also performs additional environment/service monitoring and dependency checks. Description-behavior mismatch is security-relevant because users may authorize a broader or different set of actions than they intended, especially when the skill can run shell commands and touch external services.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The generator creates authentication and RBAC management endpoints despite being framed as scaffolding/startup automation, materially expanding the attack surface of any generated app. This matters because the generated security-sensitive code is simplistic and unaudited, so users may deploy it believing it is safe boilerplate.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The script performs live database initialization by executing generated SQL containing DROP TABLE and CREATE TABLE statements, which can destroy existing data. In a one-click startup tool this is especially dangerous because users may run it against real databases expecting non-destructive setup behavior.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The generated AuthController accepts a universal plaintext password '123456' for any existing user and returns a fabricated token without validating it later, effectively bypassing real authentication. In the generated app context this means trivial account compromise and complete collapse of access control.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The SQL seeds bcrypt-like password hashes, but the login logic separately accepts the plaintext default password directly, so authentication no longer depends on the stored hash. This contradiction creates a hidden backdoor-like behavior that users of the generated project are unlikely to notice.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation describes database initialization, dependency installation, service startup, and automatic browser opening without an explicit warning that these actions modify the system and may alter or overwrite data. In a one-click automation context, lack of prominent warnings increases the risk of unintended schema changes, startup of exposed services, and surprise execution on the host.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill documentation exposes default credentials such as admin/123456 and user/123456 without a strong warning to rotate them immediately. Default credentials are a common real-world compromise path; because this skill also automates startup and may expose services locally or on reachable interfaces, the context makes the risk more acute.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The workflow proceeds through code generation, database testing, SQL execution, builds, and service startup without any explicit user confirmation, even though it writes many files and later performs destructive DB actions. In an automated one-click skill, lack of checkpoints increases the chance of accidental destructive changes on the operator's machine.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The database initialization path executes DROP TABLE statements with no prior warning or confirmation, creating a direct data-loss hazard. Because the tool is positioned as streamlined startup automation, operators are more likely to run it quickly and against the wrong environment.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script automatically executes an initialization SQL file against the configured database without any interactive confirmation, dry-run mode, or environment guard. In this skill's context, the metadata explicitly supports remote database execution, making accidental or unauthorized schema/data modification significantly more dangerous because a user may point it at a non-local or production database.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal