ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Powerdrill Data Analysis

v0.1.0

This skill should be used when the user wants to analyze, explore, visualize, or query data using Powerdrill. Covers listing, creating, and deleting datasets; uploading local files as data sources; creating analysis sessions; running natural-language data analysis queries; and retrieving charts, tables, and insights. Triggers on requests like "analyze my data", "query my dataset", "upload this file for analysis", "list my datasets", "create a dataset", "visualize sales trends", "continue my previous analysis", "delete this dataset", or any data exploration task mentioning Powerdrill.

0· 909·0 current·1 all-time
by@javainthinking·duplicate of @javainthinking/powerdrill-data-analysis-skill
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description, SKILL.md, README, and the included Python client all consistently implement Powerdrill dataset, upload, session, and job operations against https://ai.data.cloud/api. The requested capabilities line up with the stated purpose.
Instruction Scope
Runtime instructions and the client instruct the agent to read local files (upload_local_file), poll dataset status, create/delete datasets and sessions, and post multipart uploads to URLs returned by the API. Those actions are expected for a data-upload/analysis skill, but they do involve reading arbitrary local files you point it at and sending them to an external service (Powerdrill). The client also calls sys.exit when required env vars are missing, which may terminate an agent process unexpectedly.
Install Mechanism
No install spec is provided (instruction-only + a bundled Python client). Only an ordinary Python dependency ('requests') is required per the README/SKILL.md. No downloads from untrusted URLs or archive extraction are present.
!
Credentials
The SKILL.md and client require two environment variables (POWERDRILL_USER_ID and POWERDRILL_PROJECT_API_KEY) to authenticate with Powerdrill, and the client reads them at runtime. However, the registry metadata included with the skill lists no required environment variables or primary credential — this metadata omission is an incoherence and a security-relevant gap. The credential scope itself is proportional (just the service API key + user id), but it is not declared where one would expect it to be.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide agent settings in the visible files, and is user-invocable. It does perform network calls to the Powerdrill API as expected; autonomous invocation is allowed by default but is not in itself a new red flag here.
What to consider before installing
This package implements a Powerdrill client and will upload files you point it at to https://ai.data.cloud/api and perform dataset/session/job operations — that matches its description. Before installing, verify the source and trustworthiness (there's no homepage and owner is unknown). Important specifics: - The code requires POWERDRILL_USER_ID and POWERDRILL_PROJECT_API_KEY, but the skill metadata does not declare those env vars; confirm where you will store/provide the API key and that the publisher is trustworthy. - The client will read local files you specify and upload them to remote upload URLs returned by the API. Do not use it with sensitive or confidential data unless you trust the Powerdrill service and the skill's provenance. - The client will call sys.exit if credentials are missing — this may terminate an agent process unexpectedly. If you still want to proceed: obtain the API key from a trusted source, set the two environment variables before running, and review the full script locally. If provenance is unclear, prefer obtaining an official SDK or using Powerdrill's documented endpoints directly.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dv26kketgn39zp7rwknxsys80z5jk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments