ClawHub

Ovitalmap Parcel CSV

Security checks across malware telemetry and agentic risk

Overview

This skill is a local Ovitalmap CSV generator that also keeps local parcel archives as disclosed, with no evidence of network exfiltration, credential access, hidden install behavior, or destructive intent.

Install this only if you want parcel coordinates, provider names, and cadastre or permit IDs saved in local workspace CSV archives. Use the documented step-by-step flow, confirm parsed coordinates and provider names before write steps, and review any official-ID cadastre update before letting the archive be modified.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
During duplicate handling, the pipeline can call update_cadastre() and modify archive state based solely on input data, with no explicit confirmation, dry-run mode, or write-protection. In this skill context, the orchestrator is intended to process user-supplied parcel metadata automatically, so silent mutation of archival records increases the risk of unauthorized or accidental tampering with canonical parcel data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The pipeline appends new parcel records to persistent archive files automatically in step 3 via append_parcels(), again without an explicit runtime confirmation or separate commit step. Because this skill is designed to ingest externally supplied parcel data and maintain a per-country database, unintended execution can poison or clutter the archive and make later parcel matching rely on corrupted entries.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal