ClawHub

GO/KEGG Enrichment

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate GO/KEGG analysis skill, but it needs review because it uses unsafe dynamic evaluation and under-discloses external data transfer.

Install only after reviewing or patching the eval() ratio parsing. Run it in an isolated project environment, keep input and output paths inside your workspace, and avoid Enrichr or other online workflows for unpublished, proprietary, or clinical gene lists unless you explicitly accept external data transfer.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

eval() call detected

High
Category
Dangerous Code Execution
Content
# Convert ratio to numeric if needed
            if plot_data[ratio_col].dtype == object:
                plot_data['ratio_numeric'] = plot_data[ratio_col].apply(
                    lambda x: eval(x) if '/' in str(x) else float(x)
                )
            else:
                plot_data['ratio_numeric'] = plot_data[ratio_col]
Confidence
98% confidence
Finding
lambda x: eval(x) if '/' in str(x) else float(x)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documents local script execution that reads user-supplied gene files and writes results, but it does not declare permissions for those capabilities. Missing or inaccurate permission declarations weaken security review and user consent because the runtime may access local files in ways the metadata does not clearly authorize. In this bioinformatics context, file access is expected, but undeclared access still increases risk if operators assume the skill is more constrained than it is.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document claims there are no external API calls, yet elsewhere states KEGG REST/API access and internet-required queries. This inconsistency can mislead reviewers and users about network exposure, causing the skill to be deployed in environments that prohibit outbound connections or where data egress should be assessed. While not proof of maliciousness, inaccurate security disclosures materially undermine trust and risk evaluation.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill describes running local Python scripts and generating output files, but does not prominently warn users about local execution and filesystem side effects at the point of use. Users may provide sensitive input files or run the skill in privileged directories without realizing it will execute code and create artifacts. In a scientific analysis skill this behavior is expected, but insufficient disclosure still raises operational and privacy risk.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill can send user-provided gene lists to the remote Enrichr service via --use-enrichr without an explicit user-facing privacy warning or consent checkpoint. While gene lists are not always sensitive, they can encode unpublished, proprietary, or clinical research data, so silent off-system transmission creates a real data disclosure risk in this bioinformatics context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal