ClawHub

powerdrill-data-analysis

Security checks across malware telemetry and agentic risk

Overview

This is a normal Powerdrill cloud data-analysis helper, but users should be deliberate because selected files and questions are sent to Powerdrill and cleanup can delete remote resources.

Install only if you are comfortable sending chosen datasets, file contents, prompts, and resulting analysis artifacts to Powerdrill's external service. Avoid using it for secrets or regulated data unless approved, keep credentials in environment variables, and confirm before uploading files or deleting datasets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly instructs users to upload local files and submit natural-language analysis queries to Powerdrill, which necessarily transfers potentially sensitive data to a third-party external service. There is no visible privacy, data-handling, retention, or consent warning in the introductory guidance, which increases the risk that an agent or user sends confidential files without informed approval.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger language is broad enough to activate on generic requests like analyzing data, uploading files, or visualizing trends, which can cause the skill to run in situations the user did not specifically intend for Powerdrill. In this skill, that matters because activation can lead to file upload, credential use, and external transmission of potentially sensitive data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation encourages uploading local files and sending them to a remote Powerdrill service, but it does not clearly warn that local content will leave the user's environment and be processed by a third party. In a data-analysis skill, this materially increases risk because users may provide confidential spreadsheets, documents, or reports without understanding the privacy and compliance implications.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The cleanup guidance strongly recommends deleting datasets after analysis and even says to always call cleanup, but it does not consistently emphasize that dataset deletion is destructive and irreversible. This can lead to accidental loss of uploaded data sources and analysis artifacts, especially if cleanup is automated or performed without a separate confirmation step.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal