Excel Data Import

Security checks across malware telemetry and agentic risk

Overview

This skill is a local Excel/CSV import tool whose file reads, writes, backups, and logs fit its stated purpose, but users should handle sensitive spreadsheet data carefully.

Install only if you are comfortable letting the skill process the spreadsheet paths you provide. Use a dedicated project folder, run with --dry-run first, avoid importing passwords or unnecessary personal data, and restrict access to generated backups, logs, and reports because they may contain spreadsheet values.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill explicitly instructs the agent to read source files and write output spreadsheets, but it does not declare any permissions or constraints for those file operations. In an agent environment, undeclared file_read/file_write capability weakens security boundaries, making it easier for the skill to access or overwrite unintended local files if invoked with attacker-controlled paths or configs.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The document provides concrete examples for importing and validating highly sensitive fields such as national ID numbers, phone numbers, and passwords without any accompanying privacy, masking, retention, or access-control guidance. In a data-import skill, this omission can normalize unsafe handling of personal data and credentials, increasing the chance that users process, store, or expose regulated data insecurely.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The preview and test examples print raw field values directly to output, and the surrounding examples include PII such as names, ID numbers, and phone numbers. In a batch Excel import context, this creates a realistic log-exposure pattern that could leak sensitive data into terminals, CI logs, support bundles, or shared observability systems.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation enables automatic backups, error logs, and validation reports that can duplicate imported spreadsheet contents, including sensitive fields such as identity numbers, without any visible warning about privacy, retention, access controls, or redaction. In an Excel/CSV import skill, this materially increases the risk of unintended disclosure because failed rows and backups often contain the same sensitive business or personal data as the source files.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The quickstart uses and persists personally identifiable information, including names and national ID numbers, in a plain example workflow without any warning about synthetic test data, masking, retention, or access controls. In a data-import skill, examples strongly influence user behavior, so this can normalize handling real PII in unsafe local files and backups.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The troubleshooting guide includes irreversible cleanup commands such as deleting temporary files and old backups without an explicit warning, confirmation step, or safer alternatives. In operational docs for a file-processing skill, users may copy-paste these commands directly, which creates a real risk of unintended data loss if paths or glob patterns are broader than expected.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The workflow explicitly describes saving output files, reports, and logs but does not warn users that existing files at those paths may be overwritten or modified. In a file-processing skill that operates on spreadsheets and report/log destinations, this omission increases the risk of accidental data loss or unintended modification of sensitive business documents.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The document uses sensitive personal identifier examples such as 身份证号 and shows them in validation/error contexts without any privacy handling guidance. In a data-import skill for HR-style spreadsheets, normalizing the inclusion of personal identifiers in configs, reports, and logs can lead to unnecessary exposure of regulated personal data.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The example includes realistic-looking national ID numbers in documentation for spreadsheet import/export, which can encourage users to copy the pattern with real sensitive identifiers into unsecured Excel files, outputs, and backups. Because this skill explicitly supports bulk import, merge, and backup workflows, the context increases the chance of large-scale accidental exposure of sensitive records.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal