ClawHub

data-visualization

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent local data-visualization tool that reads user-provided tabular data and creates an HTML dashboard, with privacy cautions around saved outputs.

Install this only if you are comfortable running a local Python chart-generation script on data you provide. Treat the generated HTML as a saved copy of the data and visualizations: review it before sharing, avoid sensitive personal or business data unless local persistence is acceptable, and pick a safe output path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill explicitly instructs execution of a script that generates an output HTML file, but the metadata declares only dependencies and no permissions or capability disclosure. This creates a transparency and policy-enforcement gap: an orchestrator or user may invoke a skill that writes files without realizing it, which can lead to unintended file creation or bypass of least-privilege expectations.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger conditions are broad enough to match many ordinary requests about displaying or exploring data, increasing the chance the skill is invoked when the user did not specifically intend HTML dashboard generation. Overbroad routing can expose user data to unnecessary processing and can trigger file generation side effects unexpectedly.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill documentation does not prominently warn that it produces an HTML file from user-provided data. Because HTML outputs can embed raw data and are shareable artifacts, users may unintentionally create files containing sensitive information or open generated content without understanding the privacy and content-handling implications.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal