ClawHub

传输单边故障日报报表生成器

Security checks across malware telemetry and agentic risk

Overview

This skill locally turns a specific Excel fault dataset into a formatted Excel report, with the main caution that the output intentionally includes the full raw-data sheet.

Install only if you intend to process this specific local Excel fault-report workflow. Before running, check the hard-coded input and output paths and treat the generated workbook as sensitive because it includes the complete raw source data, not just aggregate statistics.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs users to run a local Python script and read/write arbitrary filesystem paths, but it declares no permissions or trust boundaries. That mismatch is dangerous because an agent or operator may invoke file access and shell execution without explicit review, increasing the chance of unintended access to local data or execution in sensitive environments.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad enough to match ordinary reporting requests, which can cause the skill to activate when a user did not specifically intend to process this dataset or generate a workbook containing raw records. In agent environments, overbroad activation increases the risk of unintended file handling, privacy exposure, or confusing execution of the wrong workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The feature list emphasizes that the final workbook retains a full raw-data sheet, but the description does not clearly warn users that all source records and columns are preserved in the output. This is dangerous because users may share the report believing it is aggregated only, unintentionally disclosing sensitive operational details contained in the raw sheet.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal