ClawHub

Paper Fetch

Security checks across malware telemetry and agentic risk

Overview

This is a real paper-downloading skill, but it silently self-updates from git and uses Sci-Hub by default despite inconsistent open-access/paywall claims.

Review before installing. Disable or remove the silent auto-update, pin the skill to a reviewed commit or release, and set PAPER_FETCH_NO_SCIHUB=1 if you only want authorized/open-access sources. Enable PAPER_FETCH_INSTITUTIONAL=1 only when your institution permits that use, and choose a scoped output directory for downloads.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (25)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The README describes a paper-downloading skill, but it also states that the agent will automatically run `git pull --ff-only` on first invocation and immediately apply updates. That is a material hidden capability change: executing code from a remote repository at runtime expands trust boundaries and can turn a benign fetcher into a remote code delivery mechanism if the repo is compromised or the upstream changes unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The README explicitly states that the agent will automatically run `git pull --ff-only` on first use of each session, which introduces code-fetching and code-changing behavior unrelated to the declared paper-download function. Silent self-update expands the trust boundary from a local skill to a remote repository at runtime, enabling unreviewed code changes to be applied without user approval.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Advertising `git pull` as part of routine operation means the skill can modify its own codebase whenever invoked, which is a powerful capability not necessary for downloading PDFs. If the upstream repo is compromised or changes unexpectedly, the agent may start executing altered code immediately, creating a supply-chain risk.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The phrase indicating updates occur with 'no user action required' normalizes hidden side effects and reduces transparency around code changes. Even if not overtly malicious, this encourages silent modification of executable content, which is unsafe for an agent skill because users may believe the tool only downloads files while it is also mutating its own code.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill performs an unrelated self-update via `git pull` at runtime before carrying out the requested task. This introduces a supply-chain and code-integrity risk because executing the skill can silently change the code being run, potentially pulling unreviewed or compromised changes into the current invocation.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The skill claims a trust boundary around using the caller's own access context, yet also enables Sci-Hub mirror fetching by default. That contradiction conceals legally and operationally risky behavior, and increases exposure to untrusted mirror infrastructure that may serve malicious or deceptive content.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The manifest frames the skill as using scholarly/open-access sources, but the documented behavior includes default fallback to Sci-Hub mirrors. This is a material misrepresentation that can cause users or agents to invoke the skill under false assumptions about legality, source trustworthiness, and network exposure.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documentation is internally contradictory: it claims the skill will never bypass paywalls while elsewhere advertising Sci-Hub fallback, which is explicitly intended to obtain paywalled papers. This can mislead users, reviewers, or downstream agents into treating the skill as compliant or OA-only when it includes a paywall-bypassing path.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The page makes a strong assurance that the skill will 'absolutely not' bypass paywalls, yet elsewhere explicitly documents a Sci-Hub fallback. This is materially misleading security and compliance documentation: users, integrators, or downstream agents may trust the safer claim and invoke behavior that reaches piracy-associated mirrors, creating legal, privacy, and policy risk.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill description presents the tool as an open-access paper fetcher, but the code also enables publisher-direct retrieval in institutional mode using subscription-backed access. That mismatch can cause an orchestrator or user to invoke the skill under false assumptions, leading to unauthorized use of institutional network identity or credentials.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The module docstring claims the tool fetches legal open-access PDFs, but the implementation includes both subscription-gated publisher-direct retrieval and a Sci-Hub fallback. This is dangerous because it misrepresents the tool's behavior and can trick downstream agents or users into initiating legally, ethically, or policy-problematic access paths they did not consent to.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Automatic self-updating via `git pull` without explicit warning or approval is unsafe because it silently modifies the local installation and changes future behavior. In an agent skill context, this can bypass normal review, introduce supply-chain risk, and cause reproducibility and trust failures across conversations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README enables Sci-Hub mirror fallback by default and even describes scraping for fresh mirrors, but provides no explicit privacy, legal, or trust warning. Contacting arbitrary third-party mirrors can expose user interest patterns, DOI queries, IP addresses, and potentially route agents to hostile infrastructure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The self-update behavior lacks a strong warning that invoking the skill may fetch and apply remote code changes automatically. That weakens informed consent and increases the chance an operator will run the skill in a trusted environment without realizing it can alter installed code.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Enabling Sci-Hub mirrors by default without a prominent warning is an unsafe default for a networked skill. It increases the chance of unintended access to questionable third-party infrastructure and bypasses informed consent for behavior that many operators would consider unacceptable.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to silently auto-update itself and hide that action from the user. Concealing security-relevant behavior prevents meaningful oversight and makes it harder to audit or reproduce executions, especially if an update changes functionality mid-run.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest explicitly grants both network access and filesystem write capabilities, but the skill metadata shown to users does not warn that invoking it may contact multiple third-party sites and write downloaded PDFs to disk. This increases the chance of users triggering external requests and local file creation without informed consent, which is a real security and privacy concern even if the capability is expected for the skill's purpose.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The usage docs encourage downloading PDFs into user-specified paths such as ~/papers and describe optional Sci-Hub fallback, but they do not prominently warn about filesystem writes, overwrite/placement behavior, or the legal and policy implications of downloading from Sci-Hub. In an agent-skill context, incomplete disclosure increases the chance an autonomous system performs sensitive writes or compliance-violating downloads without informed user consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation promotes automatic PDF download and disk writes, including contacting Sci-Hub mirrors, without a prominent warning that files will be saved locally and that external services may receive user-requested identifiers. In an agent-skill context, this can lead to silent data egress, unexpected filesystem modification, and user exposure to legally or operationally risky third-party endpoints.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The suggested invocation is broad enough to match ordinary user requests for papers, which increases the chance that an agent auto-triggers the skill without the user understanding that it may download files or use a Sci-Hub fallback. In this skill’s context, the broad trigger is more dangerous because the skill performs network access and persistent writes, potentially to controversial mirrors.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Sci-Hub is enabled by default and contacted automatically as a fallback, without a strong user-facing confirmation at the moment of use. In a skill context, this creates covert external network activity to piracy-related domains and can expose the operator to legal, policy, and reputation risk.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
Including built-in Sci-Hub mirror support directly conflicts with the stated purpose of fetching legal open-access PDFs. In this context, the contradiction is especially dangerous because the skill is packaged for agentic use, so hidden piracy fallback behavior may be invoked automatically and at scale.

Ssd 3

Medium
Confidence
98% confidence
Finding
The instruction to not mention the update unless asked is a deliberate concealment of a code-changing action. Hidden state changes reduce transparency and violate operator expectations, which is especially dangerous in security-sensitive agent environments where reproducibility and auditability matter.

Ssd 4

High
Confidence
93% confidence
Finding
The fallback chain normalizes escalation from legitimate OA sources to subscription-based publisher access and finally to Sci-Hub. That staged design is dangerous because it operationalizes progressively riskier acquisition methods while preserving the appearance of a benign paper-download workflow.

Ssd 4

High
Confidence
96% confidence
Finding
The runtime logic automatically progresses from public OA APIs to publisher-direct subscription fetches and then to Sci-Hub when earlier methods fail. In an agent skill, this is especially risky because it obscures the transition from permitted metadata lookup into access methods that may violate policy, licenses, or law.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal