ClawHub

Pre-clinical PK/PD Analyst

Security checks across malware telemetry and agentic risk

Overview

This is a local PK/PD analysis helper with ordinary math dependencies and no evidence of hidden access, persistence, network use, or data theft.

Install in a virtual environment, pin and audit numpy/scipy versions if reproducibility matters, and only run the script on trusted PK/PD datasets with user-confirmed input paths. Treat outputs as analytical support that still need scientific review before use in regulatory or dosing decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation guidance is broad enough that an agent could select this skill for generic data-analysis requests without strong exclusion criteria, increasing the chance of unnecessary local code execution and file access. In a skill that packages a Python script and encourages editing config and running it, ambiguous scope boundaries can cause unsafe or unintended use on untrusted inputs or inappropriate datasets.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to run a local Python script and later acknowledges reading input files and writing outputs, but it does not prominently warn about these side effects before use. This can lead operators to invoke the skill without understanding that it may execute code and modify the workspace, which is especially risky when inputs or paths are user-controlled.

Unpinned Dependencies

Low
Category
Supply Chain
Content
numpy
scipy
Confidence
98% confidence
Finding
numpy

Unpinned Dependencies

Low
Category
Supply Chain
Content
numpy
scipy
Confidence
98% confidence
Finding
scipy

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
90% confidence
Finding
numpy

Known Vulnerable Dependency: scipy — 4 advisory(ies): CVE-2013-4251 (SciPy creates insecure temporary directories); CVE-2013-4251 (The scipy.weave component in SciPy before 0.12.1 creates insecure temporary dire); CVE-2023-25399 (A refcounting issue which leads to potential memory leak was discovered in scipy) +1 more

High
Category
Supply Chain
Confidence
90% confidence
Finding
scipy

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal