ClawHub

Open Access Scout

Security checks across malware telemetry and agentic risk

Overview

This is a low-privilege research helper, but it is packaged as legitimate open-access and journal-vetting guidance while listing Sci-Hub and returning mock results as if they were findings.

Review before installing. This skill does not appear to access sensitive data or persist on your system, but it should not be relied on for publication decisions or compliant open-access discovery unless the maintainer removes Sci-Hub, clearly labels mock output, and aligns the script with the documented journal-vetting purpose.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill is presented as a journal-evaluation tool, but the finding indicates it also supports locating open-access copies of papers and includes Sci-Hub among access sources. That is a meaningful capability expansion not disclosed by the description, which can bypass policy expectations, mislead reviewers about intended use, and create legal/compliance risk because users may invoke it for article acquisition rather than journal vetting.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The module claims to find legal open-access versions, yet the defined source list includes Sci-Hub, a well-known piracy site. This contradiction can mislead users into accessing infringing content and undermines the trust boundary of a research-assistance skill that is explicitly framed as legal and legitimacy-focused.

Natural-Language Policy Violations

Medium
Confidence
99% confidence
Finding
Including Sci-Hub as an open-access source is unsafe in context because the skill is marketed as helping users find legitimate open-access venues and avoid publication scams. Even if labeled 'use with caution,' its presence normalizes or facilitates access to pirated material, creating legal, compliance, and reputational risk for users and deployers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal