Back to skill

Security audit

tableau

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent helper for the tableauc conversion workflow, with disclosed local file generation and command execution but no evidence of hidden data access or malicious behavior.

Install this only if you want an agent to create and modify local conversion files and run tableauc in your workspace. Keep the default temp/ workspace or use version control, review generated config paths before running on real project files, and approve or perform any tableauc Go installation yourself, preferably with a pinned trusted version.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly directs the agent to create directories and generate files automatically in a local working directory. That behavior modifies the user's workspace without requiring an explicit confirmation step, which can lead to unintended file creation, overwrites, or repository pollution even if the skill's goal is legitimate.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The workflow mandates creating or modifying multiple input artifacts, including spreadsheets and config.yaml, as part of normal operation. Because this is framed as an unconditional requirement rather than a user-approved action, the skill could cause unexpected persistent changes to the local environment and overwrite existing configuration files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to run CLI commands that generate .proto and config output files immediately after edits. Running generation commands without an explicit warning or confirmation can produce broad workspace changes, trigger tool side effects, and leave behind derived artifacts the user did not request.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger evaluation set is broad enough that the skill may activate on adjacent topics involving Excel, protobuf, config conversion, or generic schema tooling rather than only the intended Tableau/tableauc ecosystem. Over-triggering can route users to the wrong skill, causing confused-deputy behavior, poor advice quality, and accidental handling of unrelated tasks under an overly authoritative domain description.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.