ClawHub

Rohoon Six Sigma

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent local Six Sigma analysis and report-generation toolkit, with some operational cautions but no artifact-backed malicious behavior.

Install only in an environment where you are comfortable running local Python report-generation scripts. Prefer pinning or locking dependencies before production use, and avoid running the batch PDF script on folders that may contain untrusted PDFs unless you remove or disable its automatic open step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for output_dir in [output_dir_en, output_dir_cn]:
    for f in sorted(os.listdir(output_dir)):
        if f.endswith('.pdf'):
            subprocess.run(['open', os.path.join(output_dir, f)], check=False)

print("完成!")
Confidence
88% confidence
Finding
subprocess.run(['open', os.path.join(output_dir, f)], check=False)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Automatically opening generated files is beyond the minimum capability needed for report generation and increases the attack surface. In this context, the danger is higher because the code enumerates all PDFs in the output folders, so any malicious PDF already present there would also be opened, not just files produced by this execution.

Unpinned Dependencies

Low
Category
Supply Chain
Content
numpy>=1.23.0
scipy>=1.10.0
reportlab>=4.0.0
openpyxl>=3.1.0
Confidence
96% confidence
Finding
numpy>=1.23.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
numpy>=1.23.0
scipy>=1.10.0
reportlab>=4.0.0
openpyxl>=3.1.0
matplotlib>=3.7.0
Confidence
96% confidence
Finding
scipy>=1.10.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
numpy>=1.23.0
scipy>=1.10.0
reportlab>=4.0.0
openpyxl>=3.1.0
matplotlib>=3.7.0
pandas>=2.0.0
Confidence
97% confidence
Finding
reportlab>=4.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
numpy>=1.23.0
scipy>=1.10.0
reportlab>=4.0.0
openpyxl>=3.1.0
matplotlib>=3.7.0
pandas>=2.0.0
Confidence
95% confidence
Finding
openpyxl>=3.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
scipy>=1.10.0
reportlab>=4.0.0
openpyxl>=3.1.0
matplotlib>=3.7.0
pandas>=2.0.0
Confidence
95% confidence
Finding
matplotlib>=3.7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
reportlab>=4.0.0
openpyxl>=3.1.0
matplotlib>=3.7.0
pandas>=2.0.0
Confidence
95% confidence
Finding
pandas>=2.0.0

Known Vulnerable Dependency: reportlab — 6 advisory(ies): CVE-2023-33733 (Reportlab vulnerable to remote code execution); CVE-2020-28463 (Server-side Request Forgery (SSRF) via img tags in reportlab); CVE-2019-19450 (ReportLab vulnerable to remote code execution via paraparser) +3 more

Critical
Category
Supply Chain
Confidence
83% confidence
Finding
reportlab

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal