pipintama-charts

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill coherently creates hosted Pipintama charts, but users should avoid sending sensitive data unless they choose private visibility.

Install this only if you are comfortable sending chart titles and source data to Pipintama. For confidential, personal, regulated, or internal business data, tell the agent to create the chart with `private` visibility before it calls the service, and use a scoped or revocable API key where possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill is explicitly designed to send user-provided chart data to a third-party hosted MCP service, but it does not require a clear user-facing disclosure or consent step before transmitting potentially sensitive data. In a charting workflow, users may provide business metrics, internal KPIs, or personal data, so silent external transmission creates a meaningful privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Defaulting chart visibility to `shared` can expose charts through accessible links even when the user did not explicitly request sharing semantics. Because chart contents may contain sensitive operational or personal information, an insecure default increases the chance of unintended disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal