ClawHub

Phylogenetic Tree Styler

Security checks across malware telemetry and agentic risk

Overview

This skill is a local phylogenetic tree rendering tool with ordinary file input/output and no evidence of hidden data access, persistence, exfiltration, or destructive behavior.

Install it in a virtual environment or container, pin dependency versions for reproducible use, and provide input and output paths inside a project workspace to avoid accidental reads or overwrites outside the intended directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Vague Triggers

Medium
Confidence
74% confidence
Finding
The 'When to Use' text broadens the skill from a narrow phylogenetic-tree styling tool into generic data-analysis territory. In agent environments, overly broad routing criteria can cause this skill to be invoked on unrelated inputs, leading to unsafe file handling, misleading outputs, or accidental execution of packaged scripts outside their intended domain.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The acceptance criteria state the skill accepts requests matching its documented purpose with 'enough context,' but the documented purpose is itself broad and ambiguous. This can permit unintended invocation on non-tree tasks or malformed inputs, increasing the chance of unsafe script execution, improper file access, or user reliance on outputs that the tool was never designed to produce.

Unpinned Dependencies

Low
Category
Supply Chain
Content
ete3
matplotlib
numpy
pandas
Confidence
97% confidence
Finding
ete3

Unpinned Dependencies

Low
Category
Supply Chain
Content
ete3
matplotlib
numpy
pandas
Confidence
98% confidence
Finding
matplotlib

Unpinned Dependencies

Low
Category
Supply Chain
Content
ete3
matplotlib
numpy
pandas
Confidence
99% confidence
Finding
numpy

Unpinned Dependencies

Low
Category
Supply Chain
Content
ete3
matplotlib
numpy
pandas
Confidence
99% confidence
Finding
pandas

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
83% confidence
Finding
numpy

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal