Back to skill

Security audit

FineBI Skills

Security checks across malware telemetry and agentic risk

Overview

This FineBI skill is a disclosed BI workflow router, but users should be careful because it can access and move business data when configured with FineBI credentials.

Install only if you trust finebi-cli and are comfortable giving the agent FineBI access tokens. Before using sync, export, group chat, or scheduled workflows, confirm exactly which dashboard or dataset is used, which destination receives the data, and whether the content contains confidential business information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly supports syncing FineBI data to external table systems such as Feishu Bitable, but it does not require any user-facing warning, confirmation, or policy check before data leaves the original BI environment. This is dangerous because BI dashboards and datasets often contain sensitive business or personal data, and silent or poorly explained export/sync behavior can lead to unintended data disclosure or compliance violations.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill enables implicit invocation with no visible activation constraints, so the agent may auto-route into FineBI workflows based on loosely matching user intent rather than an explicit user request. In a skill that operates on real CLI data and can trigger dashboard, alert, reporting, or sync workflows, this increases the chance of unintended data access or unintended actions being performed in the wrong context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly supports exporting dashboard PDFs and syncing summarized business intelligence output to group chats, but it does not warn about potential disclosure of sensitive business data to unintended recipients. In a BI context, dashboards often contain confidential operational or financial information, so omission of consent, audience, and data-classification checks creates a real risk of accidental data leakage.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.