data-analyst

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only data analyst skill whose business-data risks are expected for its purpose and not backed by hidden code or install behavior.

Safe to install as a data-analysis helper. Before connecting it to real systems, limit it to approved datasets and require confirmation before sending reports, scheduling jobs, changing dashboards, emailing results, or sharing sensitive business data with other agents.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The invocation guidance is very broad and effectively authorizes the skill to engage on any business context, data source, KPI, and implementation task without clear trigger boundaries or scope limits. In an agent ecosystem, this can cause the skill to activate in overly general situations and take actions on sensitive data-analysis workflows it was not explicitly intended to handle, increasing the chance of overreach, unsafe delegation, or misuse of connected tools.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal