ClawHub

Cnv Caller Plotter

Security checks across malware telemetry and agentic risk

Overview

This skill does not appear to steal data or damage the system, but it presents a placeholder genomics script as a working CNV analysis tool for sensitive biomedical use.

Install only for demonstration or documentation review. Do not rely on this skill's outputs for research, publication, medical, diagnostic, or patient-related decisions, and handle any genomic input/output files as sensitive data in an approved secure environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

High
Confidence
94% confidence
Finding
The skill advertises BAM/VCF CNV analysis as implemented while the lifecycle section states the CNV-calling logic is placeholder and only planned for future implementation. In this domain, users may rely on the output for cancer or rare-disease interpretation, so misleading capability claims can produce unsafe scientific or clinical decisions and false trust in fabricated or incomplete results.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The top-level description claims real CNV detection capability even though the document later admits the core algorithm is placeholder logic. Because the skill is framed for genomics workflows involving patient-derived data and potentially high-stakes interpretation, this is dangerous deception-by-omission: users could generate and trust invalid CNV calls, leading to downstream misanalysis or inappropriate research/clinical conclusions.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal