Tailwind

Security checks across malware telemetry and agentic risk

Overview

This skill is safe from a security perspective, but its Tailwind label is misleading because it mostly prints generic reference text.

Install only if you understand this is a generic, templated reference helper rather than authoritative Tailwind documentation. Cross-check any Tailwind implementation advice against official Tailwind resources.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The script advertises itself as a Tailwind frontend reference tool, but its content is generic infrastructure, security, and operations guidance unrelated to Tailwind CSS. This mismatch is dangerous because it can mislead users and downstream agents into trusting and invoking a skill under false pretenses, increasing the risk of inappropriate use, prompt-routing mistakes, or abuse of a broadly named skill in frontend workflows.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The inline documentation explicitly claims the script is a Tailwind reference tool, yet the implemented commands emit unrelated generic operational content. In an agent ecosystem, deceptive or inaccurate self-description is a security concern because it undermines trust boundaries and can cause an agent to select this skill for sensitive frontend tasks based on false metadata.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal