Back to skill

Security audit

TaoHtml

Security checks across malware telemetry and agentic risk

Overview

TaoHtml is a coherent report-generation skill, but users should review its persistent corporate-profile storage and vulnerable Pillow dependency range before installing.

Install only if you are comfortable with TaoHtml storing reusable corporate template assets on local disk for the same OS user, and use a patched Pillow version rather than allowing the minimum 10.0 release. The artifacts do not show exfiltration, destructive behavior, or deceptive instructions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill instructs the agent to read many local files, run bundled scripts, perform browser QA, and potentially package outputs, which implies file, shell, and possibly network-capable behavior without any declared permission boundary. This is dangerous because a host may expose broader capabilities than users expect, increasing the risk of unintended file access, command execution, or data movement from loosely bound inputs and referenced paths.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The template hardcodes the report brief in Chinese ('# 报告设计简报' and subsequent field labels) without indicating that output language should follow user preference, project locale, or an explicitly confirmed constraint. In a general-purpose report-generation skill, this can cause incorrect-language deliverables, user misunderstanding, failed approvals, or disclosure/verification errors when stakeholders cannot accurately review required confirmations.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- Read `profile-memory.md` and parse enterprise identity from the eligible current material and conversation before asking for a new visual source. Pass only explicit identity candidates to `profile_store.py resolve`; do not add a fixed identity/reuse questionnaire and do not treat the previous task's choice as a permanent preference. One unique active profile binds automatically without reopening reference images, regenerating VI, or asking whether to reuse. Show its concise customer notice, then continue to the Report Design Brief unless the customer objects. Several candidates, unclear identity, alias conflict, or a current requirement/profile conflict permits exactly one selection question; never guess or combine profiles. A different company/customer always uses a separate profile.
- Interpret “这次不用 / 这次换一个” as a task-local `temporary_override` binding that leaves the active version unchanged. Interpret “以后改用 / 更新公司模板” as a new corporate-fidelity VI confirmation plus immutable profile version and atomic active-pointer switch. Do not perform or imply destructive deletion; use archive when the customer wants the profile out of automatic resolution.
- Reading versus presentation is the current task Runtime mode, not a profile conflict. Run the minimal `profile-reuse` preflight, bind the active corporate version with the current mode, and pass that mode to the renderer. Do not ask the customer to rebuild VI, create v2, or abandon the profile for a mode-only change.
- If the user chooses “use my reference”, resolve `reference_mode` once. `reconstruct` accepts exactly one static PNG/JPEG/WebP; `corporate_fidelity` accepts one to three representative static PNG/JPEG/WebP screenshots from the same template family. When the user already asks for “企业模板保真”, “公司模板原样采用”, or equivalent screenshot-visible fidelity, record `corporate_fidelity` without asking again. When intent is still unclear, ask one binary question: **参考风格重构**—提取设计语言,允许重新构图和创新;or **企业模板保真**—锁定截图中可见的企业固定元素,只
...[truncated 26 chars]
Confidence
81% confidence
Finding
without asking

Session Persistence

Medium
Category
Rogue Agent
Content
## Product Boundary

Treat a corporate profile as Skill-managed, inspectable state, not model memory. Use
`TAOHTML_HOME` when set; otherwise use `~/.taohtml`. Never write profiles into the
installed Skill directory. Codex, Claude Code, and other local Agents can reuse the
same home directory when they run as the same user and point to that directory.
Confidence
89% confidence
Finding
write profiles into the installed Skill directory. Codex, Claude Code, and other local Agents can reuse the same home directory when they run as the same user and point to that directory. Do not prom

Known Vulnerable Dependency: Pillow==10.0 — 10 advisory(ies): CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2024-28219 (Pillow buffer overflow vulnerability); CVE-2023-4863 (libwebp: OOB write in BuildHuffmanTable) +7 more

Critical
Category
Supply Chain
Confidence
93% confidence
Finding
Pillow==10.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.