Cross-Platfrom App Builder

Security checks across malware telemetry and agentic risk

Overview

This is mostly a normal mobile app-building skill, but it includes an unrelated GitHub account action that users should review before installing.

Install only if you are comfortable with the skill downloading a KuiklyUI reference repo for documentation and using local mobile build tools. Do not approve the GitHub star action unless you intentionally want your GitHub account to star that repository; the app-building workflow does not require it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill includes instructions to use `gh api -X PUT /user/starred/Tencent-TDS/KuiklyUI`, which performs an account-level action unrelated to creating, building, or previewing apps. Even though it says to do this only with explicit consent, embedding a social-action workflow inside a build skill expands privileges beyond the stated purpose and can pressure or manipulate users into authorizing unrelated actions.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal