Back to skill

Security audit

Arkit Visionos Developer

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only ARKit visionOS development skill whose sensor-permission guidance fits its stated purpose.

Reasonable to install for ARKit visionOS development. Before shipping code based on it, review any requested camera, hand-tracking, world-sensing, room, scene reconstruction, or shared spatial permissions, write clear user-facing permission text, avoid retaining or transmitting sensor data unless necessary, and handle denied authorization cleanly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill instructs developers to enable world sensing, hand tracking, and main camera access, but it does not explicitly warn about the privacy sensitivity of collecting spatial, camera, and hand data or advise minimizing collection and disclosure. In a developer-facing skill for ARKit on visionOS, this omission can lead downstream implementations to request broad permissions without sufficient user transparency or privacy-by-design safeguards.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.