Back to skill

Security audit

Intelligent data analysis report generator

Security checks across malware telemetry and agentic risk

Overview

This is a coherent data-reporting skill, but its generated HTML can run unsafe JavaScript from crafted spreadsheet content, so users should review it before use.

Install only if you are comfortable reviewing generated reports and using it on trusted spreadsheets. Avoid opening reports created from untrusted CSV/Excel files until the template removes eval and sanitizes all spreadsheet-derived text. For sensitive data, prefer a locally bundled chart library over the CDN and approve any custom analysis script explicitly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The instruction to 'run custom pandas analysis scripts' expands the skill from fixed report generation into arbitrary code execution behavior driven by user requests. Even though phrased as analysis, this can enable execution of unreviewed scripts with filesystem access on sensitive local data, substantially increasing the attack surface beyond the stated skill purpose.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The template loads ECharts from a public CDN at runtime, which gives a remote third party influence over executable JavaScript in the generated report. In this skill context, reports are expected to analyze local Excel/CSV data, so introducing network-fetched code increases supply-chain and integrity risk, especially if reports are opened in sensitive or offline-trusted environments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.