CSV Tool Pro

Security checks across malware telemetry and agentic risk

Overview

This is a local CSV utility with expected file read and write behavior and no evidence of hidden network access, credential use, persistence, or unrelated actions.

Install this only if you want an agent to process local CSV files. Use explicit file names and output paths, keep backups for important datasets, and ask for previews before sort, merge, dedupe, or conversion operations that may create or overwrite files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger text is very broad, covering nearly any CSV processing, cleaning, conversion, merge, dedupe, or statistics request without clear boundaries or confirmation gates. In an agent environment, this can cause over-activation and unintended handling of local files, increasing the chance the skill is invoked for sensitive data operations the user did not explicitly intend.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill advertises file-writing operations such as merge, convert, split, and dedupe outputs, but does not warn users that files may be created, modified, or overwritten. In practice, this can lead to accidental data loss, unintended writes in sensitive directories, or silent transformation of important datasets when the user expected read-only analysis.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal