ClawHub

SQL Dataviz

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it claims: install charting libraries and generate charts, with ordinary dependency and CDN risks to review.

Install it in a virtual environment if possible, review or pin dependencies for production use, and avoid CDN-backed generated HTML when charts contain sensitive data or must work offline; use local Chart.js/Plotly assets in those cases.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Low
Confidence
89% confidence
Finding
The document instructs loading Chart.js from a public CDN, which causes an external network request and leaks metadata such as client IP, user agent, and access timing to a third party. In a tool/agent context, failing to disclose this behavior can violate privacy expectations and may break in restricted or air-gapped environments.

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
82% confidence
Finding
numpy

Known Vulnerable Dependency: pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
91% confidence
Finding
pillow

Known Vulnerable Dependency: scipy — 4 advisory(ies): CVE-2013-4251 (SciPy creates insecure temporary directories); CVE-2013-4251 (The scipy.weave component in SciPy before 0.12.1 creates insecure temporary dire); CVE-2023-25399 (A refcounting issue which leads to potential memory leak was discovered in scipy) +1 more

High
Category
Supply Chain
Confidence
72% confidence
Finding
scipy

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal