ClawHub

datapilot

Security checks across malware telemetry and agentic risk

Overview

The skill matches its DataPilot purpose, but its CLI can persist raw credentials in a local log file.

Review before installing. Do not use this version with a live or privileged DataPilot key unless the raw-key logging is removed or patched. Rotate any DATAPILOT_API_KEY already used with it, delete old dataagent_cli.log files, prefer least-privilege read-only datasource credentials, avoid inline datasource JSON containing secrets, and manually confirm create/update/delete actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
`getAuthHeaders()` calls `writeLog()` with `keyenv: process.env.DATAPILOT_API_KEY`, which records the full environment API key to `dataagent_cli.log`. This creates a local credential disclosure risk because anyone with access to the log file can reuse the bearer token/API key to access the DataPilot service, and the surrounding code misleadingly suggests secrets are sanitized.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The file defines `sanitizeSecret`, `sanitizeArgs`, and `getRelevantEnv`, which imply credentials are redacted before logging, but `getAuthHeaders()` bypasses that protection and logs the raw environment key. This mismatch is dangerous because reviewers and users may trust the sanitization helpers and miss that sensitive credentials are still being persisted in plaintext.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill’s activation criteria are very broad, covering essentially any request related to asking about data, querying data, analysis, or reporting. In an agent ecosystem, this can cause the skill to trigger in situations where the user did not explicitly intend external API use, data access, agent creation, or report generation, increasing the chance of unintended sensitive-data processing and side effects.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to provide datasource JSON containing credentials such as database usernames, passwords, access keys, and possibly local SQLite files, but it gives no warning about secret handling, minimization, redaction, or storage risks. This is dangerous because users may paste live production credentials or upload sensitive database files into the agent workflow, enabling credential leakage, over-privileged access, or exposure of regulated data.

Missing User Warnings

High
Confidence
99% confidence
Finding
The CLI writes the raw `DATAPILOT_API_KEY` from the environment to a local log file without warning or consent. Because this tool is intended for data analysis workflows, not credential capture, the skill context makes the behavior more suspicious and increases the risk of unintended secret exposure on shared workstations, CI runners, or support bundles.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal