ClawHub

Excel Chart Report Developer

Security checks across malware telemetry and agentic risk

Overview

This is a lightweight Excel-reporting guidance skill with no executable code, credentials, persistence, or hidden behavior.

Install if you want guidance for Excel report workbook automation and repair. Expect it to be invoked for Excel chart/report/export tasks; if you only want narrow manual activation, the publisher should tighten the trigger phrases or disable implicit invocation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger sentences are broad, awkwardly phrased, and partially generic, which increases the chance that unrelated user requests could accidentally match and invoke the skill. In an agent system, unintended invocation can route tasks to tooling or instructions that are not appropriate for the user’s actual intent, creating mis-execution risk and expanding the skill’s operational surface unnecessarily.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are very broad and generic, so the skill may activate in contexts that only loosely mention Excel reporting rather than explicitly requesting this skill. Over-broad activation increases the chance of inappropriate invocation, which can steer an agent into applying the wrong workflow or exposing unintended capabilities in unrelated tasks.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger examples are overly broad and malformed, using generic phrases like 'I need a practical workflow' tied to a long requirement sentence rather than a narrowly scoped capability boundary. In an agent system, this can cause unintended skill activation on loosely related requests, leading the agent to apply the wrong workflow, consume untrusted context, or override better-matched skills.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The default prompt and short description are broad enough to match many ordinary Excel-related tasks, and with implicit invocation enabled this can cause the skill to be auto-selected outside a narrowly intended scope. That increases the chance the agent applies workbook-modifying or export automation behavior in contexts where a simpler or safer skill was intended, which can lead to unintended file changes, excessive capability use, or confused-deputy behavior.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger sentences are extremely broad, unnatural, and close to generic user phrasing, which increases the chance that the skill activates for unrelated Excel or workflow requests. In an agent environment, overbroad triggers can cause incorrect tool/skill routing, unexpected instruction injection into otherwise normal conversations, and reduced user control over when this skill influences execution.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal