Back to skill

Security audit

Product Detail Page Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a product-page generation workflow with disclosed platform, publishing, and contact steps, but users should avoid sending confidential product assets or reusing the demo credentials.

Install only if you are comfortable uploading product images and descriptions to show.3diy.world and, for orders, emailing them to the listed contact address. Do not send confidential unreleased products, customer-identifying images, or proprietary campaign details unless you have permission, and use your own platform account rather than reusing the public demo credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly instructs users to publish generated pages and obtain share links/QR codes, but provides no warning that those artifacts may expose product assets, campaign content, or other sensitive business information to unintended audiences. In a skill that automates publishing, omission of visibility/privacy guidance increases the risk of accidental public disclosure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README includes a live-looking username/password pair without any guidance on secure handling, rotation, or the prohibition on reusing shared credentials. Even if labeled as a demo account, publishing credentials in documentation normalizes insecure practice and can lead to unauthorized access, credential stuffing, or accidental use in non-demo environments.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill asks users to email product descriptions and image attachments directly to a personal mailbox, but provides no privacy notice, retention policy, consent language, or guidance on handling potentially sensitive data embedded in images or business materials. This creates a real privacy and data-governance risk because users may submit proprietary product assets, customer-identifying content, or metadata without understanding how the data will be stored, shared, or protected.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.