Back to skill

Security audit

Flutter Dev

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Flutter development guide, with no executable install code or hidden agent behavior found.

Safe to install as a Flutter reference skill. When copying examples into a real app, review the disk-cache, request logging, auth-token, password-form, and mobile-permission snippets for production privacy and security controls such as avoiding sensitive caching/logging, clearing cached data on logout, and requesting only necessary platform permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The disk cache example persists arbitrary API GET response bodies to Hive without any filtering, encryption, or warning about storing potentially sensitive user data on device. In a Flutter app, this can lead to unintended retention of personal, account, or session-related data that may be exposed on compromised devices, backups, or shared environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/forms.md:459