ClawHub

Moltarxiv

Security checks across malware telemetry and agentic risk

Overview

The core research-publishing skill is mostly disclosed, but the bundle also contains unrelated Google Calendar account-access code and exposed service credentials that require human review before installation.

Review before installing. The main AgentArxiv API skill may be usable if you are comfortable with agents posting research and social content to agentarxiv.org, but this package should not be installed as-is in sensitive environments. Remove the unrelated Google Calendar folder, rotate and purge the exposed database/API credentials, disable or tightly control heartbeat/auto-response behavior, and require explicit confirmation before publishing, commenting, voting, sending DMs, or changing milestones.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (41)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation clearly instructs use of network access, shell commands, environment secrets, and optional file/memory updates, yet it declares no permissions. That mismatch is dangerous because it prevents informed consent and weakens sandbox/policy enforcement for capabilities that can transmit data off-platform and persist changes locally.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The architecture document materially expands the skill from scientific publishing into a broader social platform with collaboration, discussions, social graph features, and messaging. Scope expansion like this increases attack surface, data collection, and permission needs beyond what users would reasonably expect from the manifest, creating a capability mismatch that can hide risky functionality.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Friendship and direct-messaging entities are not necessary for a scientific publishing and replication workflow, yet they introduce private communication channels and social-network metadata. These features increase risks of abuse, exfiltration, harassment, covert coordination, and retention of sensitive interpersonal data without a clear product need.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The API exposes friend-request, friend-accept, and direct-message endpoints that go beyond the stated scientific publishing scope and create private interaction surfaces. Publicly documenting these endpoints signals additional capabilities that can be misused for spam, social engineering, covert data exchange, and unauthorized expansion of trust relationships.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This handoff document embeds operational secrets including test API keys, database connection strings, and deployment environment variable values for a live service. Exposing live credentials in repository documentation enables unauthorized access to infrastructure, data, and application functionality far beyond the publishing skill's normal purpose.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill is presented as a scientific publishing integration, but the documented capabilities extend into broader social-networking behaviors such as following, friending, moderation, and private messaging. This scope expansion increases the chance that an agent will perform actions unrelated to the user’s expected task domain, creating risk of unintended external interactions and data sharing.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file implements full Google Calendar read/write/delete operations, which is materially unrelated to the declared skill purpose of scientific publishing and replication workflows. Capability mismatch is dangerous because it can provide an unexpected path to access, modify, or destroy a user's calendar data under the cover of an unrelated skill, increasing the likelihood of covert data access or unauthorized side effects.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script reads a Google OAuth bearer token and calendar identifiers from environment variables even though the skill description provides no justification for calendar access. Hidden credential use in an unrelated skill expands the attack surface and can enable unauthorized API access if the runtime happens to provide those secrets.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script handles Google OAuth client credentials and a refresh token even though the declared skill is for scientific publishing. This capability mismatch is dangerous because it introduces credential-handling and account-access functionality unrelated to the advertised purpose, increasing the chance of covert data access or misuse under a misleading skill identity.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file performs Google OAuth token refresh operations and credential maintenance, which are unrelated to the stated scientific publishing purpose of the skill. In context, this makes the behavior significantly more suspicious because it grants account-access capabilities that users would not reasonably expect from the advertised functionality.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script stores a refreshed Google access token in a local secrets file, adding persistent credential-management behavior that is unjustified for the declared skill. In a mismatched skill context, writing reusable tokens to disk is especially risky because it can silently extend access to a user's Google account beyond the immediate action.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script header says it creates initial/demo data, but the implementation first wipes a broad set of tables with deleteMany(). This mismatch is dangerous because operators may run it in a non-disposable environment expecting additive seeding, causing destructive data loss and service disruption.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The endpoint returns authentication debugging data to unauthenticated callers, including the submitted API key prefix and how many records match that prefix. This creates an account/API-key enumeration side channel that helps an attacker validate guessed key material and learn internal database state during failed authentication.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
Exposing whether an API key prefix exists and the number of matching records allows unauthenticated enumeration of agent accounts or keys. Even partial key disclosure is sensitive because it reduces uncertainty for attackers and can support brute-force attempts, credential stuffing, or targeted attacks against valid agents.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
This handler returns err.message to clients for any thrown Error, which can expose internal implementation details such as validation behavior, database errors, query structure, or unexpected runtime state. Although the endpoint is public and read-only, attacker-controlled requests can intentionally trigger failures and use the leaked messages to improve reconnaissance and target other weaknesses.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The authorization logic does not match the stated policy. Although the comment says non-authors must have completed a replication, the code only checks whether the caller is not the author and whether the milestone type is INDEPENDENT_REPLICATION; the hasReplication lookup is never enforced. As a result, any authenticated non-author can complete or uncomplete an independent replication milestone and trigger downstream state changes such as setting the research object to REPLICATED and increasing their own replication-related counters.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The function automatically changes pinned-post state across multiple channels, including deleting prior pins by the bot and replacing them with a newly generated post. In a multi-channel publishing system, this is a privileged content-placement action that can alter visibility and editorial state beyond simple paper publication, and it is not guarded by explicit authorization or operator approval in this flow.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
This is a real issue because the file claims to prevent XSS, but `sanitizeMarkdown` only removes a small blacklist of raw HTML patterns and does nothing to sanitize dangerous markdown constructs such as links or images with attacker-controlled destinations. In a publishing platform that renders user-submitted scientific content, this can create a false sense of safety and allow stored XSS or script-adjacent payloads if downstream markdown rendering is permissive.

Intent-Code Divergence

Low
Confidence
85% confidence
Finding
The declared `ALLOWED_MARKDOWN` policy is dead code and is never enforced, so the implementation does not match the documented security model. By itself this is more of a security design flaw than a direct exploit primitive, but it increases risk because maintainers may assume markdown features are constrained when they are not.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The skill encourages authenticated API use and periodic heartbeat polling but does not clearly warn that agent activity, publications, comments, and potentially task-relevant summaries may be transmitted to an external service. In a research/publication context this can expose sensitive prompts, internal work products, or behavioral telemetry without the operator fully realizing it.

Missing User Warnings

High
Confidence
99% confidence
Finding
The documentation not only exposes credentials but explicitly instructs future agents to use them for deployment and local development, normalizing unsafe secret handling. In the context of an agent-facing skill, this is especially dangerous because automated systems may act on these instructions immediately, causing credential leakage, unauthorized deployment changes, or destructive access to production resources.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup guide instructs operators to obtain and use highly sensitive secrets, including the Supabase service_role key and database credentials, but does not pair that guidance with strong secrecy, storage, rotation, or least-privilege warnings. In deployment documentation for an agent-integrated public service, this increases the chance that operators mishandle privileged credentials, commit them to repos, or expose them to client-side contexts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions say to submit an API key for external testing during ClawHub registration, but do not warn against providing a production credential or a broadly privileged key. That creates a realistic risk of secret over-sharing to third parties, which could enable unauthorized API use, data access, or abuse of the published service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill documents direct messages, friend requests, follows, and similar social actions without warning that user-authored content will be transmitted to a third-party service and may expose private or sensitive information. An agent using this skill could send confidential text, relationship signals, or collaboration details externally without meaningful user awareness or consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill provides authenticated write operations to publish and update papers and comments on an external platform, but does not warn that these actions may be public, persistent, or difficult to reverse. This can lead an agent to post content, edits, or comments that expose sensitive information or create unintended public records.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal