ClawHub

Sample Size & Power Calculator (Advanced)

Security checks across malware telemetry and agentic risk

Overview

This looks like a local statistics calculator, but it overstates advanced power-analysis capabilities that the code does not implement.

Review before installing if you need reliable scientific, clinical, or regulated study planning. Treat it as a limited local sample-size calculator, not a validated advanced power-analysis package, and independently verify formulas and dependency versions before relying on results.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Low
Confidence
83% confidence
Finding
The documentation asserts reproducible, bounded behavior while separately declaring external API calls and filesystem read/write access without exposing those behaviors in the public interface. Undocumented side effects are dangerous because users and reviewers cannot evaluate what data may leave the environment or what files may be modified, which raises supply-chain and data-handling risk for an executable skill.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill advertises advanced support for clustered designs and multiple comparisons, but the implementation does not include any such adjustments or methods. In a statistical decision-support tool, this mismatch can cause users to rely on invalid sample size calculations for regulated or high-stakes studies, leading to underpowered or improperly designed experiments.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The tool is presented as a power calculator, but it does not compute power and instead only returns sample-size estimates; the power_curve helper is also mislabeled because it repeatedly calls sample-size routines across effect sizes. This can mislead users into believing they have verified study power when they have not, creating a real risk of flawed study planning and downstream scientific or operational harm.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The markdown explicitly labels network access as high risk and file-system access as medium risk, yet it does not provide a clear user-facing warning, consent model, or operational boundaries. In an agent skill, this is dangerous because users may invoke the tool expecting local statistical computation while the implementation could transmit data externally or write files, creating privacy, integrity, and environmental-impact risks.

Unpinned Dependencies

Low
Category
Supply Chain
Content
numpy
scipy
Confidence
95% confidence
Finding
numpy

Unpinned Dependencies

Low
Category
Supply Chain
Content
numpy
scipy
Confidence
95% confidence
Finding
scipy

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal