ClawHub

NVEIL — AI Data Visualization & Processing

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed data-processing skill that uses a remote planning service, with a real privacy consideration around broad auto-invocation but no hidden or destructive behavior found.

Install only if you are comfortable sending prompts, column names, data types, and summary statistics to NVEIL's planning service. For sensitive datasets, treat metadata as potentially revealing, and use manual invocation or uninstall the skill if you do not want ordinary data-analysis requests routed through NVEIL automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill tells the host assistant to invoke NVEIL for a very wide range of data-related tasks, including many cases where the model could otherwise answer locally or write code without external service use. Because NVEIL sends prompt text plus dataset schema and summary statistics to a remote planning service, overly broad invocation guidance can cause unnecessary third-party disclosure and unintended tool activation.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The manifest description says to invoke the skill whenever a task would otherwise require writing common data-science code, which is broad enough to capture many ordinary analytics requests. In an autonomous agent environment, this can bias routing toward a remote-capable tool by default, increasing the chance of unnecessary metadata transmission and tool overreach without clear user consent.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal