Back to skill

Security audit

Pugongying Data Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent data-engineering skill suite, but it asks for broad write, shell, agent, database, and deployment-oriented authority without enough scoping or confirmation guidance.

Install only if you are comfortable with a broad data-engineering automation suite. Use it in a disposable or development workspace first, review generated SQL and ETL code before running it, keep production credentials out of prompts and generated files, and require manual approval before any database write, replace/upsert, DELETE/UPDATE repair, package handoff, or deployment step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (43)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill includes a Bash-based project initialization command that creates files and directories, which exceeds the core need of architecture reasoning and document generation. Even if intended as convenience scaffolding, granting shell execution in a planning skill increases the attack surface for unintended command execution, path misuse, or abuse when invoked on untrusted inputs or repositories.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The architecture-design assistant is presented as a planning/reasoning tool, but it is documented with Edit/Write/Bash permissions, violating least privilege. This mismatch is dangerous because a skill triggered for high-level design work could modify repository contents or execute commands without those capabilities being necessary for the stated task.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The layer-design assistant's role is conceptual warehouse-layer design, yet it is granted Bash execution capability. Because the function is specification-oriented rather than operational, shell access is unnecessary and creates a path for unintended local actions, especially if future prompts or linked content influence command construction.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The topology-design assistant is documented as designing dependencies, schedules, and recovery behavior, but it also has Bash privileges. That makes the skill more dangerous than its declared scope suggests, because a task framed as documentation and planning could still perform command execution on the host environment.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs running a shell script (`bash .claude/skills/dq-assistant/scripts/init-project.sh ...`) to initialize a project. Even though this appears intended for convenience, introducing shell execution in a documentation-driven skill expands its capability from advisory data-quality assistance into filesystem-affecting code execution, which can be abused if the script path or arguments are tampered with or if users invoke it without reviewing the script.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill is presented as a data quality check executor, but it goes beyond read-only validation by generating repair SQL that includes UPDATE and DELETE statements. In practice, users may copy and run these statements without sufficient review, causing unintended data corruption or deletion, especially because no safety guardrails, approval steps, or rollback guidance are provided.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documented workflow says the skill executes check SQL and generates reports, which implies non-destructive behavior, yet later content introduces modification SQL that changes production data. This mismatch increases the risk that operators will trust the skill as safe for monitoring and accidentally use it for write operations, violating least surprise and raising operational risk.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill describes the review stage as using a read-only Explore agent, yet states the output is a review report plus optimized code. This mismatch can mislead operators about actual capabilities and trust boundaries, increasing the risk that a supposedly non-mutating review step is treated as safe while code changes are introduced elsewhere without clear authorization or audit expectations.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill exposes a shell-based project initialization command that scaffolds files and directories via Bash, which expands its capabilities from advisory modeling into filesystem-modifying execution. Even though the command appears intended for convenience, invoking external scripts in a skill increases the risk of unintended file writes, abuse of path arguments, or execution of unsafe script content if the script or inputs are modified or user-controlled.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The skill documentation states that it will automatically trigger downstream SQL, ETL, and data-quality skills, which materially extends behavior beyond the three declared functions in the manifest. This hidden orchestration can cause unexpected multi-step actions, broader data exposure, and additional file generation or processing without the user realizing the full execution scope.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill documents execution of a local shell script (`bash .../init-project.sh`) even though its primary purpose is SQL assistance. Any skill that normalizes shell execution and file-system modification expands the attack surface substantially: a user may trigger arbitrary local changes, and a compromised or modified script could execute unintended commands with the agent's available permissions.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The document says the skill outputs only test_package.yaml while also describing automatic deployment triggering after tests. That ambiguity can cause operators or downstream agents to invoke deployment-affecting actions unexpectedly, increasing the risk of unintended system changes after test execution.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger terms are very broad and generic to normal data work, which can cause the skill to activate in many contexts beyond the user's actual intent. Overbroad invocation increases the chance that downstream modules generate code, recommend actions, or steer workflows without sufficient user confirmation, especially in a multi-module automation suite.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The markdown describes deployment progression such as '测试通过 → 部署上线' and '/test-engineer 验证并部署' without any warning, approval gate, or clear statement that deployment actions may affect real systems. In a skill focused on data pipelines and warehouses, ambiguous deployment guidance can lead users or agents to perform system-impacting changes in production without adequate review.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation describes automatic reading of upstream files and automatic triggering of downstream skills without explicit notice or confirmation. In a chained skill ecosystem, implicit file consumption and delegation can expose sensitive project data to unintended processing steps and cause actions the user did not knowingly authorize.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
This section explicitly defines a user profile service with behavioral features such as interest tags, activity level, and lifecycle stage, yet includes no mention of consent, purpose limitation, access restriction, or safeguards for profiling. In the context of a reusable skill/example for data engineers, that omission can normalize privacy-unsafe implementation of user profiling systems and lead to overcollection or misuse of personal data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill advertises generating outputs that may include sample data, statistics, quality reports, and written package files, but it does not require explicit user consent or warn about possible exposure of sensitive records and local file modifications. In a data-quality context, sample rows and schema artifacts often contain production identifiers, PII, or business-sensitive metadata, making silent output generation and persistence risky.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill generates repair SQL containing UPDATE and DELETE examples without warning about destructive consequences, environment targeting, backup requirements, or review procedures. That omission makes accidental misuse more likely, particularly in data engineering contexts where users may execute generated SQL directly against shared or production databases.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger phrases are very broad ETL-related terms that can match ordinary discussion, causing the skill to activate in contexts where the user did not intend code generation, review, or shell-enabled project setup. In this skill, that matters because some subfunctions are write- and bash-capable, so accidental invocation expands the chance of unintended file creation, workflow steering, or unsafe follow-on actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The template explicitly supports destructive load modes such as `replace` and writes directly to target databases, but the skill text provides no safety warning or guardrails around when these modes are appropriate. In an agent skill that can generate runnable ETL code, this omission increases the risk that users deploy code which overwrites production tables or performs unintended bulk modifications.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The generated Python template constructs database connection strings from inline username/password fields and is designed to connect to real external systems, yet the skill does not warn against hardcoding secrets or using production credentials. This is dangerous because users may paste real credentials into generated code, leading to credential leakage in source control, logs, or shared artifacts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The template includes SQL operations that create temp tables, perform MERGE/UPSERT, and drop tables via cleanup logic, but the skill does not disclose that generated code can modify or delete database objects. In the context of an automation-focused ETL skill, this is materially risky because users may treat the output as boilerplate and run it against production systems without understanding the side effects.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill generates executable ETL templates that include live database connection handling and data-changing operations such as append, replace, and upsert, yet it provides no safety warning, guardrails, or requirement for confirmation before destructive use. In this context, users may generate and run code against production systems with embedded credentials or unsafe parameters, increasing the risk of accidental data loss, unauthorized data movement, or exposure of sensitive connection details.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill describes automatic downstream triggering and project scaffolding behaviors that may write files or create directories, but it does not provide prominent warnings about these side effects or require explicit confirmation. In an agent setting, undocumented write behavior is dangerous because users may expect analysis-only assistance while the skill performs persistent changes to the workspace.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger conditions are broad enough that the skill may activate during generic dbt discussions rather than only when the user explicitly wants code or file generation. In a skill with write/edit/bash capabilities, accidental invocation can cause unintended repository changes, overproduction of code, or unsafe tool use without clear user intent.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.