Auto Data Analysis Claw

Security checks across malware telemetry and agentic risk

Overview

This skill is a local data-analysis helper whose file reading, cleaning, and report generation match its stated purpose, with ordinary caution needed for sensitive datasets and output paths.

Use this skill only on files you intend to analyze, keep backups of original financial or business data, choose output paths deliberately, and prefer Markdown reports when data may contain untrusted HTML content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill instructs the agent to read user-supplied file paths and write cleaned datasets and generated reports, but no explicit permissions are declared. This creates a capability/permission mismatch that can lead to unintended file access or overwrite behavior if the runtime does not strictly constrain paths, especially because the workflow repeatedly passes arbitrary file and output paths into local scripts.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger phrases are extremely broad, including generic requests like '分析一下', '看看数据', and '出报告', which can cause the skill to activate in many ordinary conversations unrelated to the user's intent. In a skill that can read local files and generate outputs, overbroad activation increases the chance of unintended data processing or access to sensitive financial/business information.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal