ClawHub

System Data Intelligence — File · Analysis · Visualization

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate data-analysis skill, but it needs Review because it broadly activates on common data tasks, can use high-impact OS/database/API access, and automatically persists extracted data.

Review before installing. Use it only for data you are comfortable having copied into local JSON/report files, and prefer running it in a contained workspace. Be cautious granting macOS Accessibility/Automation or Windows COM access, and only provide database credentials, API tokens, and file paths for tasks you explicitly want the skill to handle.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (17)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This section documents arbitrary AppleScript/JXA execution through osascript, which expands the skill from file/data handling into general macOS automation and application control. In an agent skill that may compose or relay user-controlled scripts, this creates a capability to drive local apps, access documents, and perform unintended OS actions beyond the declared scope.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The permission-check example probes Accessibility/System Events automation, which is an OS-level control capability not necessary for ordinary file parsing or analysis. Including it normalizes and encourages elevated automation privileges that could later be abused to control other applications or inspect system state.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script is presented as a parser/loader, but the CLI silently writes a new JSON file derived from the input document. In a system-level skill that handles potentially sensitive files, undisclosed output creation can leak extracted content to disk, leave forensic artifacts, and violate least-surprise and data-handling expectations.

Context-Inappropriate Capability

Low
Confidence
80% confidence
Finding
The parser adds host OS information to the parsed output even though OS detection is not required to parse the document. In an agent skill designed for file and sensitive-data handling, collecting unrelated host metadata expands the data footprint and can expose environment details to downstream systems, logs, or saved artifacts.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The module docstring says the tool auto-detects format and loads data, but the implementation also persists parsed content to disk. This mismatch is security-relevant because operators may run it on sensitive documents expecting read-only behavior, while the script actually creates a secondary plaintext-style artifact containing extracted data.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script is presented as a reader but automatically writes extracted workbook contents to `<stem>_data.json`. In a skill explicitly intended for sensitive data handling, this can create unintended persistence of confidential spreadsheet contents, increasing exposure through leftover files, backups, sync tools, or broader filesystem access.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script executes dynamically constructed AppleScript through `osascript`, which grants a broader automation surface than simple file parsing. Because both `filepath` and `sheet_name` are interpolated into script source without escaping, a crafted value could alter the AppleScript and potentially trigger unintended Excel or system automation actions under the user's privileges.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script is described as a reader, but it also persists the full extracted workbook contents to a JSON file on disk. In a skill explicitly intended for sensitive data handling, this creates an unexpected secondary copy of potentially confidential data, increasing exposure through leftover files, backups, sync tools, and other local processes.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script prints extracted document contents to stdout but also silently persists the same data to a local JSON file. In this skill's context, the extractor is explicitly intended for sensitive-data handling, so undocumented disk output can create unintended data-at-rest exposure, leave recoverable artifacts, and violate user expectations or data-minimization requirements.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The header comment describes the tool as an extractor with a simple invocation, but omits that it writes extracted contents to disk. This mismatch increases the chance that operators will run it on confidential WPS files expecting ephemeral processing, while the program actually leaves a persistent JSON copy behind.

Vague Triggers

High
Confidence
94% confidence
Finding
The skill defines extremely broad trigger conditions and explicitly requires activation for many common file and data-related requests. In an agent framework, this can cause the skill to take over routine tasks, automatically access local files, databases, or APIs, and perform actions without clear user consent or narrower scope checks. Because this is a system-level data skill with file, DB, API, and sensitive-data capabilities, the overbroad trigger makes unintended data access materially more dangerous.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The output requirements and execution guidance instruct the agent to immediately parse files, analyze them, generate charts, and write multiple output artifacts by default. This is dangerous because it normalizes silent file access and filesystem writes, which may expose sensitive content, create unauthorized persistent artifacts, or surprise users in environments where file handling should be explicit and consented. The surrounding skill context increases risk because the skill is designed to process potentially sensitive data automatically.

Vague Triggers

High
Confidence
98% confidence
Finding
The trigger conditions are extremely broad and explicitly say the skill must be used for many common words like '分析', '读取', files, databases, APIs, and sensitive data. This can force unnecessary activation of a high-privilege skill in routine contexts, increasing the chance of overreach, unintended data access, or network/file operations that a narrower skill would not perform.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Writing a parsed JSON file without prior disclosure can unintentionally duplicate sensitive document contents into a new file in the current working directory. In this skill's context, which explicitly targets sensitive data processing, that behavior increases the risk of accidental disclosure, insecure retention, and downstream ingestion by other tools or users.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script silently writes all extracted workbook data to a JSON file after reading, with no upfront notice or explicit consent. In the context of a system-level data-processing skill that may handle private or regulated information, this behavior can surprise users and leak sensitive data into an additional artifact outside the original source file.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code automatically writes all extracted spreadsheet contents to a JSON file without explicit user confirmation or any sensitivity check. Because this skill is positioned for files, databases, APIs, and sensitive data processing, silent persistence is more dangerous: it can leak personal, financial, or regulated data into an unprotected artifact that users may not realize was created.

Missing User Warnings

Low
Confidence
90% confidence
Finding
Writing extracted document contents to a JSON file without a clear warning can expose sensitive text, tables, and metadata to other local users, backup systems, endpoint indexing, or later forensic recovery. Because this skill advertises sensitive-data and privacy-processing use cases, undisclosed local persistence is more dangerous than it would be in a non-sensitive utility.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal