ClawHub

DeepReader

Security checks across malware telemetry and agentic risk

Overview

DeepReader is a coherent web-reading skill that fetches links and saves extracted content to local agent memory, with expected privacy and prompt-injection cautions.

Install this only if you want shared URLs to be fetched automatically and saved into agent memory. Avoid using it on private, internal, or sensitive URLs, and treat saved webpage/social content as untrusted reference material rather than instructions for the agent to follow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises network fetching and writes fetched content into agent memory, yet no explicit permissions are declared. This creates a governance gap: agents or reviewers may not realize the skill can access remote content and persist it locally, increasing the risk of unintended data ingestion, prompt-injection persistence, and misuse of filesystem/network capabilities.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Automatically triggering on any message containing an http:// or https:// URL is overly broad and can cause unintended network access and storage without clear user intent. In this skill's context, broad triggering is more dangerous because the fetched remote content is then converted to Markdown and saved into memory, potentially persisting malicious or irrelevant web content for later agent use.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The description emphasizes convenient URL reading but does not clearly warn users that fetched web content is persisted into agent memory as Markdown files. This weakens informed consent and can lead to unintentional retention of sensitive, copyrighted, or adversarial content, especially because the skill is positioned as a default reader and may auto-trigger.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This parser sends user-supplied tweet identifiers derived from the input URL to third-party services (FxTwitter first, then public Nitter instances) without any indication in this file of user consent, disclosure, or an option to disable external relays. In an agent context, this can leak what content the user or agent is investigating to unrelated public services, creating privacy, metadata exposure, and compliance risks even if the tweet itself is public.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal