Back to skill

Security audit

UI Design Tips

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only UI/UX guidance skill with accessibility caveats, but it does not include hidden code, credential access, persistence, or destructive behavior.

Safe to install as a UI design reference. Apply its advice with human review for accessibility: keep visible keyboard focus, respect reduced motion, prefer native or proven accessible form controls, and adapt layout direction for RTL or multilingual products.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The guidance explicitly tells readers to remove the browser's default focus outline and replace it with a themed glow, but it does not ensure the replacement is consistently visible across themes, high-contrast modes, forced-colors environments, or keyboard-only navigation scenarios. In a UI/UX reference skill, this is a real accessibility and safety issue because downstream users may copy the pattern verbatim and ship interfaces with degraded focus visibility.

Intent-Code Divergence

Low
Confidence
92% confidence
Finding
The document later instructs authors to respect `prefers-reduced-motion`, but earlier examples include infinite shimmer, scan-line, glitch, spin, and other animated effects without showing reduced-motion-safe variants at the point of use. This contradiction can lead implementers to copy inaccessible motion-heavy patterns into production, increasing risk for motion-sensitive users.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description is extremely broad and can trigger on a large range of ordinary UI-related requests, increasing the chance the agent invokes this skill when the user did not explicitly ask for it. Overbroad activation can cause unnecessary context injection, response steering, and unintended prioritization of this skill's guidance over more appropriate domain-specific instructions.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The guidance 'Left-align for LTR readability' encodes a locale-specific layout assumption and may be inappropriately applied without checking the user's language, script direction, or audience. While not a classic security flaw, it can produce misleading or exclusionary outputs and degrade usability for RTL or multilingual interfaces.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The statement that important settings should never use native checkbox/radio controls pushes developers toward custom controls by default, despite the native elements providing built-in semantics, accessibility behavior, platform familiarity, and lower implementation risk. In this skill context, that advice is especially dangerous because it is framed as best practice and may cause widespread adoption of brittle, less accessible widgets.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.