JW Data Analyst

Security checks across malware telemetry and agentic risk

Overview

This is a simple data-analysis skill whose file outputs are expected, but users should choose data sources and output paths deliberately.

Install only if you are comfortable letting the agent analyze the files, database connections, or API data you explicitly provide. Ask it to use a specific output folder, avoid sensitive raw data unless necessary, and review generated Python scripts before running them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The skill uses very broad trigger concepts like '数据分析、图表、统计、报表、可视化', which can cause unintended activation in many normal conversations involving data or charts. This increases the chance the agent will invoke file/database/API-handling behavior without sufficiently explicit user intent, expanding the attack surface for prompt injection, unintended data access, or unsafe automation.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The skill states that generated charts are saved to the D drive by default, but the description does not prominently warn users about this automatic file-writing behavior or require confirmation. Silent default persistence can expose sensitive data, create files in unexpected locations, and violate least-surprise and data-handling expectations, especially in enterprise or shared environments.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal