Security audit

Calculator

Security checks across malware telemetry and agentic risk

Overview

This is a local calculator skill whose files match its stated purpose, with a restricted eval-based math evaluator that users should avoid giving adversarial or extremely large expressions.

Install only if you are comfortable running a small local Python calculator script. Use it for ordinary calculations and conversions, and avoid untrusted, adversarial, or extremely large expressions because the evaluator relies on restricted Python eval rather than a fully resource-limited parser.

SkillSpector

By NVIDIA

Vulnerability Patterns

Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

eval() call detected

High

Category: Dangerous Code Execution
Content: if name not in allowed_names: return {"error": f"Unknown function or variable: {name}"} result = eval(code, {"__builtins__": {}}, allowed_names) # Format result if isinstance(result, (int, float)):
Confidence: 71% confidence
Finding: result = eval(code, {"__builtins__": {}}, allowed_names)

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical

Code: suspicious.dynamic_code_execution
Location: scripts/calculator.py:71