Data Viz Suite

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local chart, dashboard, and report-generation skill with some dependency and generated-HTML risks to keep in mind.

Install it in an isolated Python environment, consider pinning dependencies before production use, avoid putting untrusted data into exported HTML without escaping, and be aware that generated dashboards fetch Plotly JavaScript from a CDN when opened.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documentation demonstrates file-writing capability (for example, exporting HTML/PDF reports and saving dashboards) but does not declare any corresponding permission. Undeclared write capabilities can bypass user expectations and platform controls, increasing the risk of unauthorized file creation or overwrite when the skill is invoked.

Unpinned Dependencies

Low

Category: Supply Chain
Content: plotly>=5.15.0 matplotlib>=3.7.0 seaborn>=0.12.0 pandas>=2.0.0
Confidence: 92% confidence
Finding: plotly>=5.15.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: plotly>=5.15.0 matplotlib>=3.7.0 seaborn>=0.12.0 pandas>=2.0.0 numpy>=1.24.0
Confidence: 92% confidence
Finding: matplotlib>=3.7.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: plotly>=5.15.0 matplotlib>=3.7.0 seaborn>=0.12.0 pandas>=2.0.0 numpy>=1.24.0 kaleido>=0.2.0
Confidence: 92% confidence
Finding: seaborn>=0.12.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: plotly>=5.15.0 matplotlib>=3.7.0 seaborn>=0.12.0 pandas>=2.0.0 numpy>=1.24.0 kaleido>=0.2.0 openpyxl>=3.1.0
Confidence: 92% confidence
Finding: pandas>=2.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: matplotlib>=3.7.0 seaborn>=0.12.0 pandas>=2.0.0 numpy>=1.24.0 kaleido>=0.2.0 openpyxl>=3.1.0 reportlab>=3.6.0
Confidence: 92% confidence
Finding: numpy>=1.24.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: seaborn>=0.12.0 pandas>=2.0.0 numpy>=1.24.0 kaleido>=0.2.0 openpyxl>=3.1.0 reportlab>=3.6.0 jupyter>=1.0.0
Confidence: 92% confidence
Finding: kaleido>=0.2.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: pandas>=2.0.0 numpy>=1.24.0 kaleido>=0.2.0 openpyxl>=3.1.0 reportlab>=3.6.0 jupyter>=1.0.0
Confidence: 92% confidence
Finding: openpyxl>=3.1.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: numpy>=1.24.0 kaleido>=0.2.0 openpyxl>=3.1.0 reportlab>=3.6.0 jupyter>=1.0.0
Confidence: 92% confidence
Finding: reportlab>=3.6.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: kaleido>=0.2.0 openpyxl>=3.1.0 reportlab>=3.6.0 jupyter>=1.0.0
Confidence: 92% confidence
Finding: jupyter>=1.0.0

Known Vulnerable Dependency: reportlab — 6 advisory(ies): CVE-2023-33733 (Reportlab vulnerable to remote code execution); CVE-2020-28463 (Server-side Request Forgery (SSRF) via img tags in reportlab); CVE-2019-19450 (ReportLab vulnerable to remote code execution via paraparser) +3 more

Critical

Category: Supply Chain
Confidence: 78% confidence
Finding: reportlab

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal