ClawHub

观远BI Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Guandata BI helper, but it can use BI credentials and persist sensitive BI data locally in ways users should review first.

Install only if you are comfortable giving the skill access to your Guandata BI account and storing returned BI data on local disk. Use a least-privilege BI account, keep config.json out of source control, restrict permissions on the skill directory, clear .cache regularly, and avoid using it for highly sensitive datasets unless local caching is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The implementation of release_page() recursively calls itself again when version == "7" after already invoking the release API once, with no terminating condition. In a 7.x deployment this can recurse indefinitely until stack exhaustion or repeated API calls, causing denial of service, runaway requests, and potentially repeated state-changing operations against the BI service.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list includes broad everyday terms such as '分析', '门店', '会员', and '订单', which can cause the skill to activate in unrelated conversations. Unintended activation is risky here because the skill is capable of accessing BI data and performing authenticated operations against a backend system.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly documents automatic persistence of query results to local CSV files, including a shared cache directory, but does not require user notice, consent, access controls, or secure retention practices. Because the skill handles business intelligence data, local caching can expose sensitive operational or customer data to other local users, processes, backups, or later tasks through cache reuse.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
get_dataset_data() can write queried BI dataset contents to local CSV files, including metadata and filtered results, which may contain sensitive business data. Persisting remote data to disk without strong consent controls, secure file permissions, retention policy, or encryption increases exposure to local disclosure from other users, backups, or accidental sharing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The query command unconditionally writes returned dataset data to a local cache CSV via _save_to_cache_csv(), even when the user did not request --save. This creates silent persistence of potentially sensitive BI data, broadening the attack surface through local filesystem exposure and violating expectations of ephemeral query behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Retrieved card data is automatically normalized and cached to a local CSV file without prior confirmation. Because card outputs may aggregate or reveal sensitive operational data, silently persisting them to disk can leak information to local users, monitoring tools, backups, or other processes on the host.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The create-and-get workflow automatically stores fetched card data locally after creating and querying a card, without explicit disclosure. In this skill context the data originates from a BI platform and may include confidential business metrics, so silent caching materially increases risk of unintended retention and disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal