Back to skill

Security audit

Licia

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only helper for using the Licia JavaScript utility library, with some risky APIs documented but no hidden execution or malware behavior.

Install only if you want agents to suggest Licia utilities in JS/TS code. Review suggestions before accepting imports, and require explicit user intent for filesystem, process-control, URL/file opening, network, and raw HTML DOM APIs; use safer text or sanitized DOM patterns for untrusted content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The documented surface includes filesystem, process, network, and OS/container capabilities that materially exceed the skill's declared purpose of code simplification and utility refactoring. In an agent setting, this kind of overbroad capability expansion increases blast radius and can enable unintended file access, process interaction, or external communication if the skill is selected implicitly.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A documented `kill(pid)` capability is dangerous in a general-purpose agent skill because it permits termination of arbitrary local processes unrelated to the user's request. Even if presented as library documentation, exposing or normalizing this capability inside a code-assistance skill creates a path to denial of service or disruption of developer tooling and security agents.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
A function that opens URLs/files and returns a child process extends the skill into local execution and external resource access far beyond code refactoring. In an agent environment, that can be abused to launch programs, trigger protocol handlers, or exfiltrate data through browser or OS-integrated handlers.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Broad read/write/delete directory and file operations are not justified by a utility-library simplification skill and create direct access to the local filesystem. In an agentic context, such capabilities can enable sensitive file disclosure, persistence, tampering, or destructive actions if the skill is invoked on untrusted prompts or misrouted tasks.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Network request helpers and WebSocket capabilities broaden the skill from local code utilities into arbitrary outbound communication. In a code assistant, this increases the risk of data exfiltration, SSRF-like behavior against internal services, or silent interaction with attacker-controlled endpoints.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The HTML insertion APIs accept raw HTML strings for `before`, `after`, `append`, and `prepend` without warning about sanitization or trusted-source requirements. This encourages patterns that can lead to DOM XSS when untrusted content is inserted into the page.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The `html()` setter directly models innerHTML-style behavior and the documentation presents it without any warning about untrusted input. This can normalize unsafe DOM insertion and lead users to introduce XSS vulnerabilities when passing attacker-controlled strings.

Vague Triggers

Medium
Confidence
72% confidence
Finding
The activation text is broad enough to trigger on very common JavaScript/TypeScript tasks such as utility functions, data manipulation, string processing, DOM operations, or almost any hand-rolled helper. Overbroad triggering can cause the skill to activate in many unrelated contexts, increasing the chance that the agent imports unnecessary libraries, changes implementation choices unexpectedly, or surfaces unrelated capabilities from the bundled utility set.

Unsafe Defaults

Medium
Category
Tool Misuse
Content
|Name     |Desc               |
|---------|-------------------|
|dir      |Directory to create|
|mode=0777|Directory mode     |
|cb       |Callback           |

### sync
Confidence
84% confidence
Finding
mode=0777

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.