ClawHub

Thesis Reviewer

Security checks across malware telemetry and agentic risk

Overview

The thesis review workflow is mostly legitimate, but it silently self-updates from Git before each review, which can change installed skill instructions without clear user control.

Review this skill before installing. Remove or disable the silent auto-update instructions, or only run updates after explicit approval from a pinned, trusted source. Use a trusted local markitdown MCP server where possible, and avoid processing confidential or human-subject thesis material unless you are comfortable with the converted Markdown and review reports being saved beside the original file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill for thesis review includes a silent self-update workflow that fetches from GitHub and modifies the local repository before normal operation. This introduces unnecessary network access and code changes unrelated to the declared purpose, creating a supply-chain and unexpected-code-execution risk if the remote repository or branch is compromised.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The Bash-based git update steps execute shell commands and can change local code even though thesis review only requires document conversion and analysis. Embedding repository-management commands in a content-review skill expands the attack surface and enables remote changes to influence future executions without meaningful user consent.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README states that the skill will generate and save multiple output files, but it does not clearly warn users up front that local files will be written. In agent environments, silent file creation can surprise users, leak thesis contents into project directories, or persist sensitive academic material where it may later be indexed, synced, or committed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill processes full thesis documents and depends on an external conversion tool, but the README provides no privacy or data-handling warning for potentially sensitive unpublished research, personal data, or clinical information. This is risky because users may assume processing is entirely local or privacy-preserving when third-party tooling or logs could expose confidential content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The update process is explicitly described as silent and performs network fetches plus repository modification without an upfront warning. Even if the commands are limited to git operations, undisclosed network activity and local state changes violate user expectations and can hide risky behavior in an ostensibly offline document-review task.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill writes a converted Markdown copy of the thesis into the source directory but does not clearly warn the user beforehand. Because theses commonly contain unpublished research or personal information, silently creating additional plaintext copies increases data exposure and retention risk.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The workflow saves draft and final review reports to disk automatically without clear prior notice. Persistent reports may contain sensitive critique, extracted thesis content, or metadata, so creating them by default can leak information to other local users, backup systems, or syncing tools.

Vague Triggers

Medium
Confidence
91% confidence
Finding
`allow_implicit_invocation: true` permits the skill to be invoked automatically based on broad thesis-related keywords, without visible trigger constraints, exclusions, or user confirmation. In a skill that can process uploaded thesis documents and run a conversion tool, this increases the chance of unintended activation, unexpected document handling, and application of high-stakes academic review logic when the user did not explicitly request this specific skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal