Expanso csv-to-json

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward CSV-to-JSON converter with a disclosed optional HTTP mode, but users should avoid exposing that server publicly.

Safe for normal local CSV-to-JSON conversion. Before using MCP/HTTP mode, bind it to localhost if possible or restrict network access, especially for private CSV data. Only run the Expanso Cloud deploy command when you intentionally want to deploy through that service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill declares an exposed `http_server` input component but does not define any authentication, authorization, or invocation constraints in the manifest. That can make the conversion endpoint reachable by unintended callers, allowing untrusted parties to submit arbitrary CSV payloads, consume local resources, or use the skill as an unintended internal service.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal