ClawHub

Data Profiler

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward construction data-profiling skill that reads user-provided datasets and can export reports, with no evidence of hidden execution, exfiltration, or persistence.

Install only if you are comfortable letting the agent read the specific construction datasets you provide. Generated reports may include real column names, repeated values, contacts, costs, project identifiers, or other sensitive data, so store and share exports carefully.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example exports a profile report to JSON, and that report intentionally includes top sampled values, column names, inferred types, null rates, and detected patterns. In a data-profiling skill, those outputs can easily contain sensitive business data or personal data from the source dataset, so writing them to disk without any warning, redaction option, or sensitivity guidance creates a real data exposure risk.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The instruction 'When the user asks to assist with construction project tasks' is broad enough to activate this skill for many generic construction-related requests, even when the user did not explicitly ask for data profiling. Over-broad triggering can cause inappropriate routing, unexpected handling of user data, and confusion about the skill’s scope, though the file does not contain direct code execution or exfiltration behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal