Back to skill

Security audit

Jw Data Analyst

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward data-analysis helper that may read user-provided data and create local output files, with no evidence of hidden or unsafe behavior.

Before installing, treat any datasets, database connections, and API sources as sensitive. Use least-privilege or read-only credentials where possible, confirm where generated files will be saved, and avoid giving it personal or confidential data unless analysis is intended.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill advertises broad trigger phrases such as '数据分析', '图表', and '统计', which are common in ordinary conversations and can cause the skill to activate unexpectedly. Over-broad activation increases the chance that the agent will generate code, process files, or perform file-writing behavior in contexts where the user did not clearly intend to invoke this skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill states that charts are saved to the D drive by default, but the description does not clearly warn users up front that outputs may write files to the local system. This is risky because unexpected local file creation can expose sensitive data, overwrite existing content, or violate user expectations about what the assistant is allowed to do.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.