Csv Documentation Generator

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real CSV validation-document generator, but it includes broad automation, source scanning, and persistent agent/Git changes that should be reviewed before use.

Install only if you are comfortable with a skill that can run Python setup, scan project source files, write requirements/audit/template files, and optionally persist behavior through system-prompt rules or Git hooks. Prefer using it in a dedicated project directory, avoid global hook installation, do not add the cross-skill AGENTS.md rules unless you explicitly want that behavior, and review generated file changes before committing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (32)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: pip_path = venv_path / "bin" / "pip" try: subprocess.run( [str(pip_path), "install", "-r", "requirements.txt"], cwd=skill_root, check=True,
Confidence: 90% confidence
Finding: subprocess.run( [str(pip_path), "install", "-r", "requirements.txt"], cwd=skill_root, check=True, )

Description-Behavior Mismatch

Medium

Confidence: 85% confidence
Finding: The README expands the skill from document generation into codebase parsing, e-signature detection, Git linkage, and traceability automation. That scope creep increases access to source code and repository metadata beyond what users would reasonably expect from a CSV documentation generator, which can enable unnecessary data exposure or agent overreach if invoked automatically.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The documented agent modes allow autonomous and non-interactive execution, including automatic switching when stdin is unavailable. For a skill that can create environments, install dependencies, parse code, and generate artifacts, silent autonomous behavior materially raises the risk of unintended filesystem changes and broad repository access without user confirmation.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The README instructs operators to modify the agent's system prompt so all skills will emit special annotations. Cross-skill system-prompt manipulation changes behavior outside this skill's stated remit and can create a persistent policy hook affecting unrelated tasks, increasing the blast radius of mistakes or abuse.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The README expands the skill from document generation into source-code parsing and cross-skill prompt propagation, which increases its effective authority and data access beyond the stated purpose. In an agent setting, this kind of scope expansion can cause unintended inspection of arbitrary repositories and prompt-level influence on unrelated skills, creating a confused-deputy risk and broader blast radius.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Documenting autonomous mode control and automatic requirement addition enables the skill to take actions without user confirmation, which is a meaningful security concern for an agent-integrated tool. Because the stated purpose is documentation generation, unattended mode changes and auto-add behavior introduce unnecessary authority that could silently alter project artifacts or workflows.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The README describes a much broader capability set than a simple documentation generator, including project initialization, requirements database management, test ingestion, audit logs, and git-linking. This feature creep increases attack surface and raises the chance that an agent invokes filesystem, repository, or workflow-modifying behavior under the guise of generating documents.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The document explicitly instructs operators to modify the agent's global system prompt so this skill's rules apply across all skills. That creates a scope-expansion/prompt-persistence risk: a domain-specific skill can influence unrelated future tasks, which violates least privilege and can cause unintended behavior or policy drift across the agent. In a security review, any guidance to alter the global prompt is dangerous because it normalizes persistent instruction injection beyond the skill's declared purpose.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill does more than generate documents: it reads project artifacts, modifies templates in place, creates or updates requirements.json, and performs bidirectional synchronization. This expands its write scope from output artifacts to source-controlled project files, creating integrity risk and making it possible to overwrite or inject content into documentation inputs without strong boundary checks or explicit user approval. In a documentation generator, this is more dangerous because users may reasonably expect read-only processing of templates and project metadata.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The code searches parent directories and monorepo structures for requirements.json and enumerates subprojects beyond the immediate requested target. That broad discovery behavior can expose unrelated project metadata and cause the skill to act on files outside the intended scope, especially in shared repositories or sensitive monorepos. For a CSV documentation tool, this is not necessary for core generation and increases the blast radius of both read and write operations.

Intent-Code Divergence

Low

Confidence: 72% confidence
Finding: The interactive workflow says it will parse project artifacts, but the implementation calls parse_directory(Path('.')), which may operate on the current working directory instead of the intended project_path. This can unintentionally scan unrelated files, ingest wrong requirements, and leak metadata from whatever directory the process was launched in. The impact is lower than direct code execution, but it still violates least surprise and scope control.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script installs a Git post-commit hook, including into the user's global Git template, which is unrelated to generating CSV/GxP documentation. This creates hidden persistence in the developer workflow and causes code to execute automatically on future commits, expanding the skill's behavior beyond its declared purpose.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The global installation path modifies the user's Git template/hooks configuration, affecting repositories beyond this project. For a documentation-generation skill, this is unjustified and dangerous because it can establish broad automatic execution in the developer environment with little visibility.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The manifest describes a CSV documentation generator, but this file performs local and global Git hook state changes. That mismatch is a supply-chain red flag because users invoking a documentation skill would not reasonably expect environment-modifying executable persistence mechanisms.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The loader builds template paths directly from the untrusted doc_type value using self.templates_dir / f"{doc_type}.md" and similar for .xlsx, without validating that doc_type is a simple filename or that the resolved path stays within the templates directory. An attacker who can influence doc_type could use path traversal segments such as ../ to read arbitrary files with matching extensions outside the intended template folder, potentially exposing sensitive documentation or local files.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger conditions rely on broad CSV/compliance keywords, making accidental invocation likely for general regulatory or documentation discussions. In an agent ecosystem, overbroad triggering can cause the skill to activate unexpectedly and perform setup, parsing, or generation actions the user did not intend.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README states that the tool will automatically create a virtual environment and install dependencies on first run, but does not foreground that this modifies the filesystem and executes package installation. In an agent context, implicit environment setup can become a supply-chain and consent problem, especially if triggered automatically from user prompts.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README documents that non-interactive environments automatically switch to autonomous mode and proceed without confirmation. That is dangerous because many agent executions are non-interactive by design, so the skill may silently take actions such as scanning files or generating outputs when no human approval is possible.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger keywords are broad and open-ended, making it easier for an agent platform to invoke this skill in situations only loosely related to CSV documentation. Overbroad activation increases the risk of accidental execution of installation, parsing, or autonomous behaviors in the wrong context.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README states that the tool will automatically create a virtual environment and install dependencies, but does not clearly warn that this changes the filesystem and executes package installation. In agent contexts, silent environment setup can become an unexpected side effect with supply-chain and integrity implications.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The autonomous mode is explicitly described as executing without confirmation, yet no safety warning or operational boundary is provided. In an agent environment, confirmation bypass materially increases the chance of unintended writes, document generation, or state changes occurring without human review.

Missing User Warnings

High

Confidence: 98% confidence
Finding: Automatically switching to autonomous mode when stdin is unavailable is especially dangerous because many CI, batch, and agent environments are non-interactive by default. This creates a silent behavior change that can turn read-review workflows into unattended write workflows, increasing the likelihood of unauthorized or unnoticed modifications.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: Several triggers are broad terms such as `GxP`, `EDC`, `CTMS`, `LIMS`, and `21 CFR Part 11`, which could activate the skill in contexts that do not actually request document generation. Because the skill can execute commands, write files, set up environments, and modify project artifacts, over-broad activation increases the risk of unintended execution in unrelated conversations or repositories.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger conditions include short acronyms and generic phrases such as "VP" and project-stage terms that can plausibly appear in unrelated user conversations. In an agent setting, this can cause unintended skill activation and generation of regulated validation content in the wrong context, increasing the chance of prompt hijacking, workflow confusion, or unauthorized document creation.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: Multiple sections rely on broad phrases and overloaded acronyms like URS, FS, RA, IQ, OQ, PQ, and validation-related terms that have meanings outside this domain. This creates a systematic risk of unintended invocation across many workflows, which is more dangerous here because the skill can auto-fill interdependent compliance documents and propagate mistaken assumptions through the document chain.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal