Extract Design

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate webpage design-extraction tool, with disclosed browser automation and local style-reference outputs, though users should note its dependency installs, file-output options, and remote font references.

Install only from a source you trust, expect Playwright/Chromium and target webpages to be loaded during use, avoid running it on private authenticated pages unless intended, and review generated specimen files before reusing them. If offline or privacy-sensitive use matters, remove or localize the Google Fonts imports and keep output paths inside the skill directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 79% confidence
Finding: The skill tells the agent to install Playwright and browser binaries and execute external scripts via shell commands. Even if intended for design extraction, this expands the operational surface to package installation and code execution, which can introduce supply-chain, sandbox, and environment-modification risks beyond the core task.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The documentation explicitly demonstrates saving extracted data to arbitrary locations like `/tmp/styles.json`, contradicting the earlier claim that outputs never leave `assets/theme/`. This weakens the only stated containment boundary and can be exploited to redirect outputs to unintended filesystem locations, including sensitive project paths.

Context-Inappropriate Capability

Low

Confidence: 95% confidence
Finding: The stylesheet imports a Google Fonts URL, which causes the supposedly local style specimen to make a third-party network request when opened. In this skill's context, the artifact is described as a reusable reference file saved under assets/theme, so unexpected external access undermines self-containment and can leak access metadata such as IP address, user agent, and timing information.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The specimen imports Google Fonts via `@import`, which causes the local reference file to make an outbound network request when opened. In this skill context, the output is supposed to be a reusable artifact saved under the skill's own assets directory, so introducing a third-party dependency weakens offline reproducibility, leaks access metadata to an external service, and can unexpectedly change rendering if the remote asset changes or becomes unavailable.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script accepts a caller-supplied output path from argv and writes JSON to it without constraining the destination to the skill's own assets/theme/ directory. In an agent setting, this violates the declared storage boundary and can be abused to overwrite arbitrary files writable by the process, making the skill more dangerous than its stated purpose suggests.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: A design-extraction helper only needs to persist results within its own controlled workspace, but this script exposes a general file-write primitive via the output_file argument. That unnecessary capability expands the attack surface because any upstream prompt injection, agent misuse, or untrusted caller input could turn a harmless extractor into a tool for writing attacker-chosen content to sensitive filesystem locations.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The script accepts a caller-controlled --out path and writes extracted data directly to that location, which violates the skill contract that outputs remain under the skill's own assets/theme directory. In an agent context, this can enable unintended file overwrite or placement of generated content into arbitrary project paths, potentially clobbering user files or bypassing containment expectations.

Missing User Warnings

Low

Confidence: 97% confidence
Finding: The external font import sends requests to a third-party service without disclosure, which exposes page access metadata whenever the HTML file is opened. In the context of an internal design-reference artifact, this is more concerning because users reasonably expect a local specimen file in assets/theme to be self-contained and not leak environment or usage data externally.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The external font import silently contacts Google without any notice in the artifact itself, creating an undisclosed third-party network call. While this is not code execution, it is still a security/privacy issue because opening what appears to be a local design reference leaks request metadata and may violate expectations for a self-contained asset.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal