Software UI Design

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward UI design helper that uses user-provided design files and a Figma token for Figma API access, with no evidence of hidden persistence or unrelated data access.

Install only if you are comfortable processing design files through this skill. For Figma, use a dedicated or least-privileged token where possible, avoid putting the token in shared logs or transcripts, and revoke or rotate it if exposed. Treat the advertised Sketch/XD/export/code-generation capabilities cautiously because this package only includes Figma parsing and UI checking scripts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill describes capabilities that involve reading local files, writing output assets/reports, and making network calls to external services such as the Figma API, but it does not declare any permissions or boundaries for those actions. This creates a least-privilege and transparency problem: an agent could access files or external endpoints without users being clearly informed of scope, increasing the risk of overbroad data access or unintended exfiltration.

Credential Access

High

Category: Privilege Escalation
Content: 4. **输出交付**：文档 / 资产包 / 报告 ## 注意事项 - Figma 需要用户提供 Personal Access Token - Sketch/XD 文件较大，建议压缩或提供具体画板范围 - 切图优先导出 SVG 再转 PNG - 代码生成仅作参考，需人工审核
Confidence: 93% confidence
Finding: Access Token

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal