ClawHub

Multi-Omics Integration Strategist

Security checks across malware telemetry and agentic risk

Overview

This is a local bioinformatics analysis skill that reads user-provided omics CSV files and writes local result files, with no evidence of hidden network access, credential use, persistence, or destructive behavior.

Install this in a virtual environment, consider pinning dependency versions before use, and treat both input omics datasets and generated outputs as sensitive local research data. Choose the output directory intentionally because the script will create files there.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The manifest documents that the skill reads inputs and writes multiple outputs, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: users or orchestrators may underestimate the file-write capability, and missing explicit permission declarations can weaken sandboxing or approval flows.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The security checklist asserts protections such as path validation and output-directory restriction, but no supporting code is provided. In a skill that accepts file paths and writes outputs, absent or unverified path controls can enable path traversal or unintended writes outside the workspace, especially if users supply crafted --output or input paths.

Unpinned Dependencies

Low
Category
Supply Chain
Content
dataclasses
networkx
numpy
pandas
scipy
Confidence
88% confidence
Finding
networkx

Unpinned Dependencies

Low
Category
Supply Chain
Content
dataclasses
networkx
numpy
pandas
scipy
sklearn
Confidence
97% confidence
Finding
numpy

Unpinned Dependencies

Low
Category
Supply Chain
Content
dataclasses
networkx
numpy
pandas
scipy
sklearn
Confidence
96% confidence
Finding
pandas

Unpinned Dependencies

Low
Category
Supply Chain
Content
networkx
numpy
pandas
scipy
sklearn
Confidence
96% confidence
Finding
scipy

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
93% confidence
Finding
numpy

Known Vulnerable Dependency: pandas — 1 advisory(ies): CVE-2020-13091 (** DISPUTED ** pandas through 1.0.3 can unserialize and execute commands from an)

High
Category
Supply Chain
Confidence
71% confidence
Finding
pandas

Known Vulnerable Dependency: scipy — 4 advisory(ies): CVE-2013-4251 (SciPy creates insecure temporary directories); CVE-2013-4251 (The scipy.weave component in SciPy before 0.12.1 creates insecure temporary dire); CVE-2023-25399 (A refcounting issue which leads to potential memory leak was discovered in scipy) +1 more

High
Category
Supply Chain
Confidence
90% confidence
Finding
scipy

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal