智能 UI 美化技能，支持30种设计风格（Notion/Figma/Linear/Apple 等），自动检测项目类型并生成实时预览

Security checks across malware telemetry and agentic risk

Overview

This UI beautification skill is mostly aligned with its purpose, but its preview mode is advertised as non-modifying while the script can still create or overwrite files in the target project.

Review carefully before installing. Use this only on a Git-backed or copied project, prefer --dry-run for inspection, and do not rely on --preview as safe or read-only because it can create or overwrite files in the target project.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The help text promises that `--preview` will only generate a preview and not modify the original project, but the main flow still creates and writes `DESIGN.md`, `styles/theme-override.css`, optionally `tailwind.config.js`, `assets/theme-override.css`, tokens, and snippets before generating the preview. This breaks user expectations and can cause unintended repository changes or overwrite project files in workflows that rely on preview mode being non-destructive.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal