ClawHub

Citation Formatter

Security checks across malware telemetry and agentic risk

Overview

This skill is a low-risk citation-formatting helper, though its documentation overstates and inconsistently describes the available API.

Before installing, treat it as an offline AMA citation converter rather than a full 1000-style reference-management system. Use the CLI entry point scripts/main.py and ignore the documented CitationFormatter Python API until the publisher fixes the examples.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
76% confidence
Finding
The Quick Start section references conflicting import paths and APIs that do not align with the documented primary entry point. In agentic settings, contradictory execution guidance can cause the wrong module to be invoked, bypass expected controls, or lead users to trust nonexistent interfaces and behaviors.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation guidance is broad enough to trigger the skill for generic academic-writing tasks beyond citation formatting. Over-broad routing can cause an agent to apply the wrong tool, mishandle unrelated content, or grant file-processing behavior in situations where a narrower skill should have been used.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest summary 'Use when working with citation formatter' is overly broad and can cause the skill to be considered in many generic citation-related contexts without clear boundaries. Broad activation text increases the chance of inappropriate routing or over-invocation, which is a security concern because an agent may expose the skill in situations the author did not intend.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal