ClawHub

It is designed for scenarios that require direct operating system application and in-depth data analysis. [Forced trigger scenario]: - User mentions reading/writing/manipulating Excel, WPS, Word, TXT, Markdown, RTZ, etc. - User wants to "grab", "extract", and "get" data from any application - User needs to perform "in-depth analysis", "trend research", "anomaly detection", and "prediction" on the data - User requests to generate "charts", "visualizations", "dashboards", "data reports" - users say, "Help me see in this document..." Analyze this data...", "Make a chart presentation..." - Any task involving cross-application data flow [Core Competencies]: System interface calls × Data in-depth analysis × Professional visualization IMPORTANT: As long as it involves any of the file operations, data analysis, and visualization, this skill must be used. Don't skip tasks just because they "look simple" - there are many pitfalls in the underlying interface calls, and there are pitfall avoidance guides in the skills.

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for local file and data analysis, but it gives itself broad activation scope and includes under-disclosed local persistence plus raw macOS automation helpers.

Install only if you are comfortable with a skill that can read local files, automate desktop applications, and create derived files containing source data. Use it on non-sensitive data first, review any generated JSON/report/log files, and avoid granting broad macOS automation permissions unless you trust the publisher and need that capability.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (30)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script is presented as a document loader/parser, but its main routine also writes a derived JSON file to disk as a side effect. In a skill explicitly intended for file operations and cross-application data handling, this can unexpectedly persist sensitive document contents to local storage, increasing exposure through leftover artifacts, backups, or other processes reading the file.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script is presented as a reader but persistently writes the extracted workbook contents to a JSON file in the current directory. That creates an unintended data propagation path: sensitive spreadsheet contents may be copied to disk without explicit user consent, increasing exposure through leftover files, backups, sync clients, or other local users/processes.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The top-level documentation describes the tool purely as a reader, while the implementation also exports all extracted data to a new JSON file. This mismatch can mislead operators into using the tool in sensitive environments under the assumption that it performs non-persistent inspection only, which increases the chance of accidental data leakage.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script presents itself as an extractor but unconditionally persists the extracted document contents to a new JSON file on disk. Because the extracted data may contain sensitive spreadsheet or document contents, this creates an unexpected local data copy that can expose confidential information, leave residual artifacts, and violate user expectations in a file-handling skill with broad trigger conditions.

Intent-Code Divergence

Low
Confidence
82% confidence
Finding
The top-level documentation describes extraction usage but omits that execution also creates a JSON file containing the full extracted contents. This is dangerous because users may run the tool in sensitive directories or on confidential documents without realizing it will leave a persistent secondary copy behind.

Vague Triggers

High
Confidence
96% confidence
Finding
The activation criteria are extremely broad and include common phrases like reading files, analyzing data, or making charts, plus an explicit instruction to always use this skill for almost any file/data task. That can cause unintended invocation of a high-privilege skill that performs system file access and cross-application data flows, increasing the chance of over-collection, unnecessary file writes, or misuse in contexts where a narrower/safer tool should be used.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill mandates generating and saving multiple artifacts, including structured analysis data and summaries, but does not disclose that user data and derived insights will be persisted to disk. In a file-analysis skill, silent persistence materially increases privacy and data-handling risk because sensitive source content, intermediate results, and visualizations may remain on the host after the task completes.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad, everyday requests that can cause the skill to activate on routine file-reading or analysis tasks without clearly bounded consent or scope checks. In this skill’s context, automatic activation matters because the capability includes direct system file access and writing outputs, so over-triggering can lead to unintended access to local data and unnecessary persistence of derived artifacts.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises system-level file operations and report/output generation but does not warn users that the skill may read local files, invoke platform-specific interfaces, and write artifacts to disk. In a security-sensitive agent setting, omission of these effects reduces informed consent and increases the chance of unintended data exposure, modification, or persistence.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger conditions are extremely broad and mandatory, covering almost any file operation, extraction, analysis, or visualization request. This can cause the skill to activate in routine situations and automatically perform sensitive file access or data processing even when a narrower, safer response path would be more appropriate.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The automatic format-detection entry point encourages loading arbitrary files through a single generic interface without clear restrictions on trusted paths, file sizes, or unsupported/sensitive inputs. In context, this increases the chance of over-collection, accidental ingestion of confidential data, or unsafe handling of unexpected file types.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill tells the agent to immediately read files, analyze data, visualize results, and generate reports by default, while explicitly discouraging asking the user about format or preferences. This removes meaningful consent checkpoints and can expose or transform sensitive user data without warning, especially in a skill designed for direct system and file interaction.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script prints the full parsed document to stdout, which may expose sensitive contents to terminal history, calling processes, logs, CI pipelines, or agent transcript capture. Given this skill's purpose is direct system/application data extraction and analysis, the context makes this more dangerous because it is likely to handle real user files containing confidential business or personal data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script writes the fully parsed contents to a new JSON file without warning or confirmation, creating an untracked copy of potentially sensitive data. In this skill context, which is designed for broad file ingestion across office and text formats, silent replication of content materially increases the risk of data leakage, unintended retention, and discovery by other local users or tools.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The script automatically writes extracted workbook contents to a JSON file in the current working directory, which can persist sensitive spreadsheet data without explicit user confirmation or clear notice. In a skill designed for cross-application data extraction and analysis, this increases the chance of unintended local data exposure, especially for confidential business spreadsheets.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes the full extracted spreadsheet contents to a JSON file without prior warning beyond minimal usage syntax and without requiring explicit authorization for persistence. In the context of a skill designed for cross-application data extraction and analysis, this is more dangerous because users may process confidential business data, and silent export creates an additional untracked copy on disk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Writing extracted document contents to a JSON file without explicit user warning or consent creates silent data persistence. In this skill's context—designed for direct file operations and cross-application data extraction—documents may contain sensitive business or personal data, so creating an additional plaintext-like copy increases exposure through local access, backups, syncing, and accidental sharing.

Ssd 3

Medium
Confidence
94% confidence
Finding
The requirement to always retain and emit operation logs, together with structured outputs and reports for every task, can capture filenames, paths, extracted content, row samples, or sensitive analysis results in normal output artifacts. In a file-analysis skill, mandatory logging materially increases the risk of secondary disclosure beyond the user's original request.

Unvalidated Output Injection

High
Category
Output Handling
Content
import subprocess

def run_applescript(script: str) -> str:
    result = subprocess.run(
        ['osascript', '-e', script],
        capture_output=True, text=True, timeout=60
    )
Confidence
96% confidence
Finding
subprocess.run( ['osascript', '-e', script], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
import subprocess, json

def run_jxa(script: str):
    result = subprocess.run(
        ['osascript', '-l', 'JavaScript', '-e', script],
        capture_output=True, text=True
    )
Confidence
96% confidence
Finding
subprocess.run( ['osascript', '-l', 'JavaScript', '-e', script], capture_output

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Core data processing
pandas>=2.0.0
numpy>=1.24.0
scipy>=1.10.0
statsmodels>=0.14.0
Confidence
96% confidence
Finding
pandas>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Core data processing
pandas>=2.0.0
numpy>=1.24.0
scipy>=1.10.0
statsmodels>=0.14.0
Confidence
96% confidence
Finding
numpy>=1.24.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Core data processing
pandas>=2.0.0
numpy>=1.24.0
scipy>=1.10.0
statsmodels>=0.14.0

# Excel/document parsing
Confidence
96% confidence
Finding
scipy>=1.10.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas>=2.0.0
numpy>=1.24.0
scipy>=1.10.0
statsmodels>=0.14.0

# Excel/document parsing
openpyxl>=3.1.0
Confidence
95% confidence
Finding
statsmodels>=0.14.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
statsmodels>=0.14.0

# Excel/document parsing
openpyxl>=3.1.0
python-docx>=1.0.0
chardet>=5.0.0
Confidence
97% confidence
Finding
openpyxl>=3.1.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal