ClawHub

Sheet Data Enrichment

Security checks across malware telemetry and agentic risk

Overview

This appears to be a spreadsheet enrichment skill with expected web lookups and spreadsheet updates, but users should be aware that linked spreadsheet data may be sent to external sites or APIs.

Install only if you are comfortable with spreadsheet-linked URLs or row context being used for external lookups. For sensitive spreadsheets, ask the agent to confirm domains and rows before fetching, and review proposed write-backs before applying them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest uses very broad trigger phrases such as generic spreadsheet tasks ('fill in', 'summarize by', 'aggregate') that can cause this skill to be invoked for routine spreadsheet work beyond the user's likely intent. Because the skill performs external fetching and enrichment, over-broad routing raises the chance of unnecessary network access, data exposure, and unexpected modification of spreadsheet contents.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description does not clearly warn users that the skill may visit external URLs or call APIs based on spreadsheet contents, which can transmit linked data or metadata to third parties. In this skill's context, that omission is more dangerous because the core workflow explicitly fetches web pages and then writes results back, so users may unknowingly trigger external data flows from potentially sensitive spreadsheets.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal