Security audit

data-analysis-partner

Security checks across malware telemetry and agentic risk

Overview

This data-analysis skill mostly does what it claims, but generated reports can run untrusted spreadsheet content and also load chart code from a third-party CDN.

Install only if you trust the datasets you analyze and are comfortable with generated reports contacting jsDelivr when opened. Avoid opening reports made from untrusted CSV or Excel files on sensitive machines until the report generator escapes all data-derived HTML/script content and offers a bundled or offline chart library.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill promises a 'self-contained HTML' report, but the document explicitly states it loads ECharts from a public CDN at view time and also exposes extra behaviors like returning an open command and structured analysis artifacts. This mismatch can mislead users about network isolation and downstream actions, which matters for sensitive data workflows where users may rely on offline or non-networked guarantees.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The README markets the output as a self-contained HTML report, but elsewhere admits the report fetches ECharts from an external CDN at runtime. This is a security-relevant documentation flaw because users may open reports in sensitive or offline environments under the false assumption that no network access occurs, leading to unexpected metadata leakage and weakened trust boundaries.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The documentation is internally inconsistent: it says the report is self-contained, then later states it loads ECharts from jsdelivr. That contradiction can cause operators to misclassify the artifact as safe for restricted environments, increasing the chance of unintended outbound connections and privacy/compliance violations.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill advertises a self-contained HTML report, but the generated HTML loads ECharts from a third-party CDN at runtime. This breaks the self-contained trust boundary and introduces supply-chain and privacy risk: opening the report can trigger outbound network access and execute remotely served JavaScript in the local browser context.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: For a local data-analysis skill, adding an external script dependency is not necessary for core functionality and causes report viewing to reach out to the network. That creates unexpected data exposure via request metadata and allows remote code delivery if the CDN, DNS, or connection path is compromised.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The README only later mentions that first run may automatically create a virtual environment and install packages, which is a material side effect that should be disclosed upfront. Automatic environment creation and package installation can trigger unexpected code execution paths, network access, and dependency trust risks in environments where users believed the skill would only analyze local files.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: index.js:18