ClawHub

Verified Research

Security checks across malware telemetry and agentic risk

Overview

This research skill appears purpose-built, not malicious, but needs review because it can automatically persist research summaries, delete cached reports, and even update its own skill instructions without clear user confirmation.

Install only if you are comfortable with research topics, evidence snippets, and conclusions being cached locally and later written into MEMORY.md. For sensitive topics, require explicit confirmation before starting, resuming, archiving, deleting caches, saving reports, or allowing any update to the skill files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README defines a continuation command using broad natural language such as “继续研究{原话题}”, which can overlap with ordinary conversation and cause unintended invocation of the skill or its resume behavior. In a skill that persists and resumes research state, accidental triggering is more dangerous because it can surface prior cached context, continue network/file activity, or cause unexpected access to stored research artifacts.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The quick-start example “帮我研究一下XXX” is generic conversational language with no boundary indicating when it should be treated as a normal request versus a privileged skill activation. Because this skill performs multi-step searches and writes persistent artifacts, an accidental match could trigger unintended external actions and data retention beyond what the user realized.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that research data may be automatically written to MEMORY.md and can be copied to workspace, but it does not clearly warn users that potentially sensitive prompts, collected evidence, or generated summaries may become persisted outside ephemeral storage. In this context, the risk is elevated because the skill is explicitly designed to accumulate multi-round research over time, increasing the chance that confidential or regulated information is retained longer than intended.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger conditions are broad enough to activate on common phrases like '查一查', '确认一下', or '搜索', which can cause the skill to run when the user did not intend a multi-step cached research workflow. Because this skill writes research artifacts to /tmp and later summarizes them into MEMORY.md, accidental invocation can lead to unintended persistence of user queries and derived content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that cleanup writes a summary of the topic, date, conclusions, source statistics, and report path into MEMORY.md, but it does not present this as a clear user-facing warning or consent gate. This creates a privacy and data-governance risk because user research topics may be sensitive, and the agent may persist them beyond the temporary cache without explicit authorization.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill notes that the full report exists only in /tmp before cleanup and may be deleted after three days, but this warning is buried in an informational note rather than clearly communicated as a retention risk. Users may reasonably expect the generated report to remain available, so this behavior can cause silent data loss or loss of auditability for important research outputs.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script appends content derived from cache files into a privileged MEMORY.md path and then recursively deletes topic directories without any interactive confirmation, dry-run mode, or stronger path safety checks. In an agent context, this increases the risk of unintended data destruction and persistence of untrusted content into a shared memory file, especially if the cache contents or CACHE_DIR can be influenced by other components.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal