ClawHub

universal-data-analyst

Security checks across malware telemetry and agentic risk

Overview

This data-analysis skill is mostly purpose-aligned, but it can run generated Python scripts and encourages sharing data-derived prompts with external LLMs without enough safety controls or privacy warnings.

Install only if you are comfortable reviewing the generated prompt and script files before use. Do not send prompts containing confidential, personal, regulated, or production data to external LLMs without redaction and approval. Use read-only database credentials, avoid production databases, and run any generated Python script only in a restricted workspace or sandbox after manual review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if script_path and os.path.exists(script_path):
            print(f"🚀 执行分析脚本: {script_path}")
            try:
                result = subprocess.run(
                    [sys.executable, script_path],
                    capture_output=True,
                    text=True,
Confidence
96% confidence
Finding
result = subprocess.run( [sys.executable, script_path], capture_output=True, text=True, cwd=str(self.ses

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The tool is described as a generic data-file loader, but it also supports creating SQLAlchemy engines and executing arbitrary SQL queries. This capability expansion is security-relevant because callers may treat it as local file processing while it can initiate external database connections and run attacker-controlled queries against reachable databases.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The cleaning report is internally inconsistent: it can recommend DELETE_ROWS actions for duplicates, outliers, and business-rule violations, yet the generated summary states that all original rows are retained and even prints the retained row count with a misleading '(100%)'. In a data-processing skill, this can mislead downstream users or agents into believing destructive actions were not recommended, causing incorrect review, audit, or execution decisions on sensitive datasets.

Intent-Code Divergence

High
Confidence
92% confidence
Finding
The workflow presents LLM use as manual-only, which may reassure users, but later includes a path that executes externally supplied/generated analysis code. That mismatch increases social-engineering risk because users may treat downstream artifacts as safe workflow outputs even though they are untrusted code.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly instructs users to send generated prompts to an external LLM API, and those prompts may include uploaded data context or derived sensitive information. Without a clear privacy warning, consent step, or data-handling disclosure, users may unknowingly transmit confidential data to third-party services, creating a real data exposure risk.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The README describes persistent storage of session summaries, prompts, generated scripts, and reports, but does not clearly warn users that potentially sensitive data and model-generated artifacts are written to disk. This can expose confidential information through local filesystem access, backups, shared directories, or accidental retention.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases are very generic data-analysis requests and direct file uploads, which can cause the skill to activate during ordinary conversation without clear user intent to run a potentially powerful workflow. In this skill, that risk is amplified because activation may lead to LLM-driven script generation, code execution, file creation, and broad data processing on user-supplied inputs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill states it will generate executable Python scripts and run them, then write reports and artifacts, but it does not warn users about these side effects or associated risks. This is dangerous because LLM-generated code operating on untrusted data can cause unintended execution behavior, excessive resource use, unsafe file writes, or misuse of sensitive data without informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Supporting SQL databases via connection strings without a privacy and safety warning is risky because users may provide production credentials or point the skill at sensitive systems. In the context of an autonomous analysis skill that generates scripts, this can expose confidential data, enable overly broad queries, or create unintended interactions with external database infrastructure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The SQL path accepts a caller-supplied connection string and raw sql_query, then creates a database connection and executes the query without any warning, confirmation, or policy checks. In an agent setting this can cause unintended outbound network access, access to sensitive data sources, and execution of destructive SQL statements if untrusted input reaches this interface.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code persists session metadata to disk automatically, including table names, validation details, ontology results, and quality strategy, without any explicit user consent flow or warning. In a data-analysis skill, these artifacts can reveal sensitive dataset structure, business context, and potentially regulated information through derived metadata even if raw rows are not stored.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The method executes an arbitrary script if the provided path exists, with no confirmation prompt, provenance check, or safety validation. Because this skill is designed to handle scripts produced outside the trusted codebase, this creates a direct arbitrary-code-execution path.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The orchestrator writes prompts that include data-derived profiles, samples, and later column details for use with external LLMs, but does not provide a clear privacy/security disclosure at the point of generation. This can expose sensitive dataset contents or metadata to third-party AI services if users follow the suggested workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly tells users to send generated prompt files to external LLMs, and those prompts are derived from the user's dataset and analysis context. Without any warning about sensitive fields, redaction, minimization, or approved model boundaries, users may unintentionally disclose confidential, personal, or regulated data to third-party services.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The keyword trigger patterns are broad enough to activate on many ordinary requests for generic data help, causing the skill to run in situations the user may not have explicitly intended. Because this skill can load uploaded files, generate scripts, and execute analysis workflows, overbroad invocation increases the chance of unintended data processing and expands the skill’s operational surface beyond a narrowly scoped use case.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The description and embedded prompts are written entirely in Chinese and strongly steer the interaction into Chinese without any indication of adapting to the user’s preferred language. This can cause users to misunderstand the workflow, outputs, assumptions, or warnings, especially in a skill that performs multi-step analysis and script generation, reducing informed consent and increasing the risk of misuse or missed limitations.

Ssd 3

Medium
Confidence
95% confidence
Finding
The planning prompt includes raw sample rows via df.head(10).to_string() plus detailed per-column statistics and ranges, then returns that prompt for external LLM use. In this skill context, user-uploaded datasets may contain PII, financial records, or confidential business data, so embedding raw contents into prompts can leak sensitive information to third-party model providers or logs.

Ssd 3

Medium
Confidence
87% confidence
Finding
The ontology prompt includes schema-derived details such as sample categorical values, null rates, unique counts, and inferred time or price columns. While less severe than full row dumps, these details can still disclose sensitive attributes, identifiers, or business semantics when sent to an external LLM.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal