Business Data Analyst Skill

Security checks across malware telemetry and agentic risk

Overview

This skill provides business-analysis guidance and a small local router, with no evidence of hidden access, credential use, persistence, or data exfiltration.

Reasonable to install for business-analysis prompting and lightweight routing. As with any analytics assistant, only provide business metrics or internal context that the agent is allowed to analyze; the skill itself does not ask for special access or transmit data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Low

Confidence: 89% confidence
Finding: The package description is extremely broad, covering many business-analysis use cases without clear trigger boundaries or exclusion criteria. In agent-routing environments, this can cause over-selection of the skill for loosely related prompts, leading to unintended access to internal analysis frameworks or misapplication of the skill in contexts where a narrower tool should have been used.

Natural-Language Policy Violations

Low

Confidence: 77% confidence
Finding: The manifest advertises bilingual/Chinese-oriented capability through keywords, but does not state how language selection occurs or whether the user must opt in. In multi-language agent systems, this can lead to unexpected routing or responses in an unintended language, which may confuse users or cause analysis mistakes if prompts are interpreted under the wrong locale assumptions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal