Fastadmin创建插件

Security checks across malware telemetry and agentic risk

Overview

This is a FastAdmin plugin-development guide with visible code-generation risks, but no hidden installer, credential access, exfiltration, or deceptive behavior.

Install only if you are comfortable reviewing generated FastAdmin plugin code. Before applying generated application/ or public/ files, diff them against your project, keep backups, and narrow any noNeedLogin/noNeedRight wildcard examples before using them in real endpoints.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly states that files under the plugin's application/ and public/ directories will overwrite files in the host application's /application and /public paths, but it does not warn the user about the risk of clobbering existing code or assets. In a plugin-development context, this is dangerous because an operator following the skill could unintentionally replace production controllers, models, views, or static resources, causing code tampering, outages, or accidental introduction of backdoors if untrusted plugin content is packaged or installed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal