Back to skill

Security audit

图表转图片

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent chart-to-image helper, but users should only render chart HTML, SVG, or Canvas code they trust.

Install only if you are comfortable using it with chart code you trust. Avoid pasting untrusted HTML, SVG, or JavaScript into any generated renderer unless it is sandboxed, because active browser content may execute.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly invites users to supply arbitrary HTML, SVG, and Canvas JavaScript for rendering, which creates a clear pathway for active content execution if the generated HTML is opened in a browser-like environment. Because the documentation frames this as normal usage and provides no warning, sandboxing requirements, or trust boundary guidance, users may process untrusted input and trigger script execution, data exfiltration, or local file abuse through embedded active content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.