Neckr0ik Etl Builder
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is broadly aligned with building ETL pipelines, but its reviewed code writes pipeline files using unsanitized pipeline names, which can escape the intended config directory.
Review this skill before installing or using it. It appears purpose-aligned for ETL, but use simple safe pipeline names, verify the CLI source, keep credentials scoped, avoid storing raw secrets in pipeline JSON, and test with dry runs before loading or scheduling data syncs.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed pipeline name could cause the skill to write files outside its own configuration area.
The pipeline name is used directly in a filesystem path. Absolute paths or `..` path segments could escape the intended `~/.data-pipeline/pipelines` directory and create or overwrite JSON files elsewhere.
pipeline_file = self.pipelines_dir / f"{name}.json"
pipeline_file.write_text(json.dumps(pipeline.__dict__, indent=2))Only use simple pipeline names such as letters, numbers, dashes, and underscores. The skill should validate names and resolve paths to ensure writes stay inside its config directory.
Running a pipeline could overwrite, append, or update records in databases, files, or connected services.
The skill can write or update destination systems, including replace/upsert modes. This is expected for ETL, but it can materially change external data.
Load mode (append, replace, upsert)
Use `--dry-run`, `--limit`, test destinations, and scoped credentials before running or scheduling production pipelines.
Credentials supplied to the skill may grant access to databases, cloud storage, spreadsheets, APIs, or SaaS tools.
The skill expects credentials for multiple data services. This is normal for ETL, but the registry metadata declares no primary credential or required environment variables.
Google Sheets | Cloud | OAuth / API Key ... S3 | Cloud | Access Key ... GCS | Cloud | Service Account
Use least-privilege, revocable credentials dedicated to this pipeline, and avoid broad production keys where possible.
Pipeline configuration and run history can persist locally and may contain sensitive connection details if the user includes them.
Pipeline configuration is persisted under the user's home directory. If configs include connection strings, tokens, endpoints, or mappings, those details may remain on disk for later runs.
self.config_dir = Path(config_dir or Path.home() / ".data-pipeline") ... pipeline_file.write_text(json.dumps(pipeline.__dict__, indent=2))
Review files under `~/.data-pipeline`, avoid storing raw secrets in pipeline JSON where possible, and protect or delete old pipeline configs when no longer needed.
A scheduled pipeline may keep syncing data automatically until it is disabled.
The skill explicitly supports scheduled automation. This is purpose-aligned, but scheduled jobs can continue moving data after the initial setup.
Schedule — Run pipelines on cron schedules
Confirm schedules before enabling them and keep an inventory of active pipeline jobs.
The documented command may not be available, or users may install/run an implementation from an unverified source.
The documentation references a CLI command, but the registry does not declare how that command is installed or what binary should exist.
No install spec — this is an instruction-only skill.
Verify the executable source before running `neckr0ik-etl-builder`; prefer the reviewed script or a trusted package source.