Data Visualizer

Security checks across malware telemetry and agentic risk

Overview

This is mostly a coherent local data visualization skill, but its SVG and HTML export commands can create unsafe browser-opened files from untrusted CSV content.

Install only if you are comfortable running a local shell/Python script on data files you choose. Do not use the SVG or HTML export commands on untrusted CSV files unless the exporter is fixed to escape XML/HTML characters, because generated files may execute or render embedded markup when opened in a browser.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises file-writing behavior such as `normalize > normalized.csv`, `to-svg`, `to-html`, and logging to `~/.local/share/data-visualizer/history.log`, but no permissions are declared. Undeclared write and environment usage reduce transparency and can lead users or hosting systems to grant broader access than intended, especially when processing sensitive local datasets.

Missing User Warnings

Low

Confidence: 93% confidence
Finding: The skill states that history is logged to `~/.local/share/data-visualizer/history.log` but does not prominently warn that filenames, arguments, or potentially sensitive dataset references may be stored locally. This can leak private paths, business data labels, or command contents to other local users, backups, or forensic collection tools.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal