Chart Data Viz

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a chart-generation helper whose local file access is purpose-aligned, with no supplied evidence of hidden, destructive, or unrelated behavior.

Install if you want chart-generation assistance, but use it only with data files you intend the agent to read and ask before it writes or overwrites chart outputs in your workspace.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill explicitly states it reads and writes local files under the user's workspace, but it does not declare permissions for those capabilities. This creates a transparency and policy gap: the agent may access or modify local data without clear permission scoping, which can lead to unintended file exposure or overwrites if the skill is invoked unexpectedly or implemented loosely.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The description is broad enough that the skill could be triggered for generic data-analysis or 'help with numbers' requests, not just explicit chart-generation tasks. Unintended activation increases the chance of unnecessary local file access/writes and can route user data into this skill when another safer or more appropriate tool should handle the request.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal