ClawHub

CSV Data Explorer

Security checks across malware telemetry and agentic risk

Overview

This is a local CSV analysis tool whose file access and exports match its stated purpose, with only ordinary caution needed around chosen input and output paths.

Install if you are comfortable letting the tool read the CSV files you explicitly provide. Choose output paths carefully because exports can replace files, and treat CSV contents and generated reports as potentially sensitive if they contain private or business data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation describes reading arbitrary CSV files from user-supplied paths, which is a file-read capability, but the manifest does not declare any corresponding permission. Even if file access is expected for a CSV exploration tool, undeclared file-read behavior weakens permission transparency and could allow the skill to access sensitive local files if the implementation does not restrict paths.

Missing User Warnings

Low
Confidence
70% confidence
Finding
The export function writes to an arbitrary user-supplied path without checking whether the destination already exists or warning before overwrite. In a CLI context this can lead to accidental data loss or unintended file creation if a user mistypes a path, though it is not an obvious privilege-escalation issue on its own.

Missing User Warnings

Low
Confidence
76% confidence
Finding
Histogram generation automatically saves a PNG file in the current working directory without an explicit confirmation step. This can surprise users, clutter the filesystem, or overwrite files if naming collisions occur, making it a real but low-severity safety issue rather than a severe security flaw.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal