ClawHub

Volcano Plot Labeler

Security checks across malware telemetry and agentic risk

Overview

This is a self-contained volcano-plot data visualization skill with ordinary local file input/output and no evidence of credential access, network activity, persistence, or hidden behavior.

Install this in a sandboxed Python environment, pin or review dependency versions before repeatable use, and run it only on CSV/TSV differential-expression files you intend to process. Expect it to read the input file and write a plot image to the output path you provide; the documentation has minor quality issues but no artifact-backed security concern requiring Review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The example input references 'explicit symptoms, history, assessment, and next-step plan,' which is unrelated to volcano-plot gene labeling. This creates prompt/intent confusion and increases the chance that orchestration layers or users apply the skill to the wrong domain, undermining scope controls and making the skill easier to trigger in unintended contexts.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The example input references 'explicit symptoms, history, assessment, and next-step plan,' which is unrelated to volcano-plot gene labeling. This creates prompt/intent confusion and increases the chance that orchestration layers or users apply the skill to the wrong domain, undermining scope controls and making the skill easier to trigger in unintended contexts.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The 'Use this skill for data analysis tasks' wording is broader than the actual function of the skill and may cause generic routing systems or human operators to invoke it for unrelated analysis requests. In agent settings, over-broad trigger language weakens least-privilege task selection and can expose packaged scripts to inputs they were not designed to handle safely.

Unpinned Dependencies

Low
Category
Supply Chain
Content
matplotlib
numpy
pandas
Confidence
94% confidence
Finding
matplotlib

Unpinned Dependencies

Low
Category
Supply Chain
Content
matplotlib
numpy
pandas
Confidence
98% confidence
Finding
numpy

Unpinned Dependencies

Low
Category
Supply Chain
Content
matplotlib
numpy
pandas
Confidence
97% confidence
Finding
pandas

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
87% confidence
Finding
numpy

Known Vulnerable Dependency: pandas — 1 advisory(ies): CVE-2020-13091 (** DISPUTED ** pandas through 1.0.3 can unserialize and execute commands from an)

High
Category
Supply Chain
Confidence
73% confidence
Finding
pandas

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal