Back to skill

Security audit

SPC绘图及分析技能

Security checks across malware telemetry and agentic risk

Overview

This skill performs local SPC quality analysis and saves an HTML report, with no evidence of hidden network access, credential use, or destructive behavior.

Before installing, be aware that the skill runs a local Python analysis script on Excel files and creates an HTML report that may contain production or quality metrics. Use an appropriate working directory and remove generated reports if they contain sensitive data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the agent to generate and save HTML reports to the working directory, which is a file-write capability, yet no permissions are declared. Undeclared write behavior can surprise users, weaken policy enforcement, and increase the chance of sensitive or user-derived data being persisted without explicit approval.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger conditions are broad enough to overlap with common data-analysis requests, which can cause the skill to activate unexpectedly. Mis-triggering matters here because the skill can invoke shell commands and write output files, so accidental activation could lead to unnecessary processing or persistence of user data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill states that it generates and saves HTML reports, but it does not clearly foreground to the user that user-related analysis output will be written into the working directory. This can create data handling and privacy issues, especially if reports include sensitive production metrics, filenames, or embedded chart content and remain on disk longer than expected.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.