Back to skill

Security audit

Virse Design

Security checks across malware telemetry and agentic risk

Overview

The skill is a mostly coherent Virse design-platform integration, but it gives the agent broad account-level workspace authority and includes broad activation plus self-update behavior that users should review before installing.

Install this only if you want an agent to log into Virse, read your workspaces and canvas assets, generate images that may consume credits, and create, update, organize, or delete Virse content. Be cautious with generic requests that might trigger it, approve destructive or cross-workspace actions explicitly, review any update prompt carefully, and remove ~/.virse/token when you no longer want persistent account access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill exposes broad capabilities through Bash and documented commands that read files, write files, use environment variables, invoke networked Python clients, and run shell commands, yet it does not declare equivalent permissions or clearly constrain those actions. This weakens reviewability and increases the chance that a user invoking a design-related skill unknowingly triggers sensitive local or network operations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill is presented as a design-platform assistant, but its behavior includes authentication flows, token persistence, direct tool/RPC access, update checks, and repository modification. That mismatch can cause users or orchestration systems to authorize a much broader trust boundary than intended, enabling sensitive operations under the guise of ordinary design help.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The self-update section executes code to check for updates and, on consent, performs git pulls and in-place edits to SKILL.md. A user-facing skill that can modify its own repository creates a software supply-chain and integrity risk: compromised upstream content or a manipulated repo state could change future behavior beyond the original review scope.

Vague Triggers

High
Confidence
92% confidence
Finding
The activation text is so broad that the skill may be selected for many generic design or image tasks even when the user did not request Virse specifically. Because this skill can initiate auth flows, networked tool access, and maintenance actions, over-triggering materially raises the chance of unintended execution in the wrong context.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs a silent code-executed update check on first load without user-facing disclosure. Even if the check is read-only, it creates undisclosed network activity and trust in remote update metadata, which is inappropriate for a user-invocable skill and can leak environment usage patterns or enable social engineering around updates.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The phrase 'Applicable to any multi-stage image generation pipeline — not limited to specific module counts or product types' broadens the procedure beyond the narrowly described product-listing use case. In an agent skill, this can cause over-triggering or inappropriate reuse of the workflow in contexts the author did not validate, increasing the chance of incorrect actions on unrelated canvases or assets.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The instruction 'English only' hard-codes output language without checking user preference or workspace context. This can override user intent, produce unsuitable content for non-English campaigns, and reduce reliability in multilingual design workflows.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger keyword "curate" is very broad and can match many normal user requests unrelated to asset-folder organization. In an agent-routing context, this can cause the skill to activate unexpectedly, leading to unintended access to canvas, element, and asset metadata and actions such as folder creation or image linking when the user meant something else.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes very broad, common phrases such as "create a set of" and "lay them out," which can match ordinary user requests that are not specifically intended for this skill. In an agent environment, this can cause unintended invocation of design-generation actions, increasing the chance of misrouting user tasks, unexpected API calls, and accidental credit consumption.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are broad enough to activate this playbook for ordinary requests like 'consolidate' or 'gather images,' which can cause the agent to enumerate and scan multiple workspaces. In this skill, that broad matching is more dangerous because the workflow explicitly performs cross-workspace discovery and collection, creating unnecessary exposure of workspace names, asset metadata, and image contents if invoked unintentionally.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list includes generic phrases such as "iterate" and "keep tweaking," which are common in many unrelated conversations. This can cause the skill to activate outside its intended Virse/image-refinement context, leading to incorrect tool use, unintended actions on canvases or assets, and expanded attack surface for prompt-trigger abuse.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase "search for ... and organize" is broad enough to activate this skill for many unrelated user requests that merely mention searching and organizing content. In an agent environment, ambiguous routing can cause the wrong toolchain to run, leading to unintended external searches, asset ingestion, and workspace modifications without clear user intent for a design-board workflow.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger keyword "compare" is generic and likely to appear in many unrelated user requests, which can cause this skill to activate outside its intended Virse image-variation workflow. In an agent setting, over-broad invocation can lead to unintended access to canvas, asset, or account-related actions, increasing the chance of inappropriate tool use or data exposure through misrouting.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation exposes token-based upload flows and direct HTTP file transfer instructions, including local file upload via curl, without prominently warning that local files and remote image URLs are transmitted to Virse-controlled remote services. In an agent-skill context, this can normalize or encourage exfiltration of user-local content or third-party URLs without clear consent boundaries, especially because upload tokens and upload endpoints are presented as routine operational steps.

Ssd 3

Medium
Confidence
96% confidence
Finding
The workflow explicitly instructs the agent to retrieve and display full prompts, parameters, and text content from upstream assets. That can expose sensitive user-provided data, proprietary prompts, internal notes, or embedded secrets from related assets to anyone who can invoke lineage tracing, especially in collaborative workspaces where provenance may span multiple contributors.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.