Security audit

Product Prototype Design

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward product-prototype generator that creates local HTML mockups, with no evidence of hidden data access or destructive behavior.

Install this if you want an agent to generate local product-prototype HTML files. Before using it, be aware that it may create files for broad page/demo/interface requests, and review generated HTML for CDN or font links if you need fully offline or private prototypes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

High

Confidence: 88% confidence
Finding: The trigger scope is overly broad and can cause the skill to activate for generic requests about pages, demos, or interfaces even when the user did not ask to generate local files or prototypes. In an agent context, broad auto-triggering increases the chance of unexpected file creation and tool use, which can violate user intent and lead to unsafe or unauthorized actions.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs use of a Write tool to create an HTML file on disk without warning the user or requiring confirmation. In agent environments, silent filesystem writes are a meaningful safety issue because they can surprise users, create unwanted artifacts, and normalize unauthorized local modifications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.