fullstack-project-creator

Security checks across malware telemetry and agentic risk

Overview

This skill is a project scaffolder that writes local Spring Boot and Vue starter files after asking where to generate them.

Install this if you want an agent to scaffold full-stack projects on your filesystem. Before generation, review the destination path, prefer a new or empty folder, and be cautious with any permission-change advice such as running as administrator, chmod, or chown.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger rules are extremely broad (e.g., generic phrases like "create project," "build system," or even "X project/module"), making unintended activation likely during normal conversation. In a skill that can create directories and files on disk, accidental invocation increases the risk of unwanted filesystem changes and overbroad agent behavior.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill description says it will create a project structure, but it does not prominently warn that it will write files and directories to disk. Users may invoke it expecting advisory help only, not realizing it performs persistent local changes, which weakens informed consent for filesystem operations.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal