ClawHub

Target Novelty Scorer

Security checks across malware telemetry and agentic risk

Overview

This skill looks like a demo that presents synthetic biomedical scoring as real literature-mining analysis, so users should review it carefully before relying on it.

Treat this skill as a mock or prototype unless it is updated to call real literature databases and clearly label data provenance. Do not use its scores, paper counts, trial counts, or confidence values for scientific, investment, or business decisions without independent verification and real citations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The tool advertises literature-mining novelty scoring, but the core search function generates simulated random values instead of retrieving real PubMed data. This can mislead users into making scientific or business decisions based on fabricated evidence, which is especially risky in a biomedical context where output may be treated as decision support.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file-level description and CLI usage present the skill as a real target novelty scorer, while the internal searcher admits it is only a simulated implementation. This inconsistency increases the chance that operators will trust the output as factual, creating a deception/integrity risk even without classic code-execution behavior.

Unpinned Dependencies

Low
Category
Supply Chain
Content
dataclasses
numpy
Confidence
94% confidence
Finding
dataclasses

Unpinned Dependencies

Low
Category
Supply Chain
Content
dataclasses
numpy
Confidence
98% confidence
Finding
numpy

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
91% confidence
Finding
numpy

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal