ClawHub

Retraction Watcher

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims: it checks academic references against external retraction databases, but users should avoid confidential documents and untrusted PDFs unless the dependency risks are addressed.

Install only if you are comfortable with outbound lookups to services such as Crossref, PubMed, and Open Retractions. Do not use it on confidential manuscripts, sensitive bibliographies, signed URLs, or internal URLs without stronger privacy controls. Run it in a constrained environment for untrusted PDFs and prefer pinning or replacing the PyPDF2 dependency before broad use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill description says it scans document reference lists, but the implementation also fetches arbitrary remote content via --url and can process the full document via --full-doc. This creates a broader data-access surface than advertised and can expose non-reference document contents or trigger network access to attacker-controlled locations, making the capability mismatch security-relevant rather than a harmless feature extension.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Arbitrary URL fetching lets the tool retrieve attacker-specified remote resources even though that capability is not justified by the skill's stated purpose. In an agent setting, this can be abused for SSRF-like access to internal services, fetching sensitive intranet content, or causing the agent to interact with unexpected hosts.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger conditions are broad enough to match common requests like checking references or manuscript review, which can cause unintended activation in contexts the user did not explicitly approve. Over-broad activation increases the chance of unnecessary file access or network transmission of document contents to third-party services.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill states that it uses external retraction and metadata services, but it does not clearly warn users that uploaded documents, extracted citations, titles, DOIs, or other metadata may be transmitted to third-party APIs. This lack of disclosure can expose sensitive unpublished manuscript contents or citation intent without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When --url is used, the provided document location is transmitted in an outbound request without any explicit disclosure or consent flow. This is dangerous because URLs can themselves contain sensitive information such as signed tokens, internal hostnames, or query parameters, and users may not realize the tool will contact that remote endpoint directly.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The tool extracts citation metadata from user documents and sends identifiers such as DOI/PMID to external services (Open Retractions, Crossref, PubMed) without explicit disclosure. Even if limited to bibliographic data, this can leak confidential research topics, unpublished manuscript references, or reading lists to third parties, which is especially sensitive in academic and enterprise environments.

Unpinned Dependencies

Low
Category
Supply Chain
Content
dataclasses
pypdf2
Confidence
90% confidence
Finding
dataclasses

Unpinned Dependencies

Low
Category
Supply Chain
Content
dataclasses
pypdf2
Confidence
96% confidence
Finding
pypdf2

Known Vulnerable Dependency: pypdf2 — 5 advisory(ies): CVE-2023-36464 (pypdf and PyPDF2 possible Infinite Loop when a comment isn't followed by a chara); CVE-2023-36807 (PyPDF2 vulnerable to possible Infinite Loop when reading malformed objects); CVE-2023-36810 (PyPDF2 quadratic runtime with malformed PDF missing xref marker) +2 more

High
Category
Supply Chain
Confidence
99% confidence
Finding
pypdf2

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal