ClawHub

Csv Brain

Security checks across malware telemetry and agentic risk

Overview

CSVBrain is a coherent CSV analysis helper, but cloud AI queries can send CSV-derived metadata and sample rows to the selected provider.

Install if this workflow fits your data policy. Do not use cloud Anthropic or OpenAI modes with confidential, regulated, customer, or secret-bearing CSVs unless that sharing is approved; use local Ollama or redact sensitive columns and sample rows first. Also verify results manually for important analysis, since AI answers may be inaccurate.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill prominently advertises natural-language AI queries but does not clearly disclose up front that using Anthropic or OpenAI sends dataset-derived content to external services. Even though the Limitations section later notes that column profiles and the first 5 sample rows are sent, the absence of an explicit privacy warning near the feature description or ask() API can lead users to unintentionally expose sensitive business or personal data to third-party providers.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The ask() method sends dataset headers, column statistics, and the first five rows of loaded CSV data to third-party AI providers (Anthropic/OpenAI) and optionally to a configurable Ollama host. This can expose sensitive or regulated data without any built-in consent flow, redaction, allowlist, or clear disclosure at the point of transmission, creating a real confidentiality and data-governance risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal