ClawHub

Reagent Substitute Scout

Security checks across malware telemetry and agentic risk

Overview

This skill matches its stated purpose of finding reagent substitutes from public chemistry and literature sources, with privacy considerations but no evidence of hidden or destructive behavior.

Install only if it is acceptable for reagent queries and optional PubMed API credentials to be sent to NCBI/PubChem services. Avoid using confidential compound names or proprietary project details unless your lab or organization permits external database lookups, and choose output paths deliberately.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation guidance is broader than the narrowly described reagent-substitution purpose, saying it can be used for generic 'evidence insight tasks.' Overbroad routing language can cause the skill to be selected for unrelated tasks, leading users or agents to run a networked, file-capable script in contexts where the inputs, privacy expectations, or safety assumptions do not fit.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The markdown documents external API integrations and local cache/output behavior, but it does not clearly warn users before use that input data may be transmitted to third-party services and that files may be created or modified locally. In a scientific workflow, queries can contain unpublished compound names, experimental targets, or proprietary research details, so insufficient disclosure raises confidentiality and integrity risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
User-supplied reagent names, CAS numbers, and related chemistry queries are sent to external services (NCBI/PubChem) without an explicit privacy notice or consent mechanism. In research and lab contexts, these queries may reveal sensitive project interests, proprietary workflows, or procurement shortages, creating unintended data disclosure to third parties and logs outside the user's control.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal