ClawHub

Beta Survey Analysis

Security checks across malware telemetry and agentic risk

Overview

The skill appears intended for survey analysis, but its advertised AI capabilities and possible external-LLM handling are not clearly aligned with the described implementation and disclosures.

Review before installing. Treat the output as basic keyword-based summarization unless the publisher updates the implementation or documentation. Do not run it on sensitive survey responses unless you confirm whether data stays local or is sent to OpenAI, Anthropic, or another provider, and choose an output path that cannot overwrite important files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation indicates the tool writes an output report file, but the manifest declares no permissions despite having file_write capability. This creates a transparency and policy gap: hosts or users may approve the skill without understanding it can create or overwrite local files, which can lead to unintended data exposure or clobbering of files if output paths are not constrained.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata advertises AI-powered survey analysis with theme clustering, BERTopic, and GPT-4o-mini, but the implementation only performs simple keyword matching for sentiment and generates a basic markdown report. This is dangerous because downstream users may rely on nonexistent analytical capabilities for business or policy decisions, leading to false confidence, poor decisions, and compliance or procurement misrepresentation risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The notes mention an OpenAI or Anthropic API key, implying survey responses may be transmitted to an external LLM service, but the skill description does not clearly warn users about this data flow. Survey responses often contain personal, sensitive, or confidential free text, so silent transmission to third parties creates privacy, compliance, and consent risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal