ClawHub

Sanger Chromatogram QA

Security checks across malware telemetry and agentic risk

Overview

This is a small local sequencing QA helper with no evidence of hidden access, data theft, persistence, or destructive behavior.

Install it in a project-specific virtual environment, consider pinning numpy before use, and confirm intended input and output paths before running any local script.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Vague Triggers

Medium
Confidence
80% confidence
Finding
The skill's invocation criteria are broad enough that it could be selected for generic data-analysis requests beyond narrow Sanger chromatogram QA. That increases the chance an agent will run the packaged script in contexts where inputs, constraints, or user expectations were not sufficiently validated, creating avoidable execution and file-handling risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs running local Python scripts and reviewing generated output, but it does not prominently warn users that code will execute locally and may read/write workspace files. In an agent setting, this can lead to implicit code execution and filesystem modification without sufficiently explicit user awareness or consent.

Unpinned Dependencies

Low
Category
Supply Chain
Content
numpy
Confidence
97% confidence
Finding
numpy

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
89% confidence
Finding
numpy

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal