sf-business-data-export

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Salesforce export skill, but it needs review because it can use Salesforce credentials to export broad sets of business data into local Excel files if the run is not tightly scoped.

Install only if you intend to export Salesforce business data. Before running it, explicitly set the Salesforce org, least-privileged account, object list, date range, filters, profile or record type, output directory, and header language; avoid default object lists or full-scope exports unless that is exactly intended.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Natural-Language Policy Violations

Medium

Confidence: 82% confidence
Finding: Defaulting final Excel headers to Chinese labels without explicit user choice can cause data handling mistakes, misunderstanding of exported columns, or operational friction in multilingual environments. While not a classic security flaw, it can degrade review accuracy and lead to downstream misuse of exported business data if recipients assume a different language context.

Natural-Language Policy Violations

Medium

Confidence: 80% confidence
Finding: The review-readiness rule again prefers Chinese labels by default, reinforcing a non-user-driven language choice in generated artifacts. In a business export workflow, this can impair reviewer comprehension, increase validation errors, and reduce the reliability of human review for sensitive exported records.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal