Data Chart Builder

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward chart-building skill; its remote data access is disclosed and fits the stated purpose, with ordinary caution needed for untrusted URLs.

Install only if you are comfortable with a charting helper that can read local data files, fetch CSV/FRED data from the network, and write image files to paths you configure. Treat configs from other people as untrusted, especially if they contain URLs or output paths.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly supports remote CSV URLs and FRED retrieval, but the description and workflow do not clearly warn users that executing the skill may initiate outbound network requests. This can surprise users, expose sensitive context through unintended fetches, or permit misuse in environments where network access should be explicit and consented to.

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The script accepts attacker-controlled URLs via CSV sources and fetches them directly with pandas, which can trigger unintended outbound network access from the host running the skill. In this chart-building context, that creates an SSRF-style risk surface and data exfiltration/network probing potential, even though the primary feature is legitimate remote data ingestion.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal