ClawHub

Paper Results Reverse Engineer

Security checks across malware telemetry and agentic risk

Overview

This is a coherent paper-analysis skill, but it gives the agent broad local PDF access, shell-based PDF extraction, and persistent file-writing behavior that users should review first.

Install only if you are comfortable with the agent reading PDFs you provide or point it to, running pdftotext locally, and saving analysis files under OpenClaw_Paper_Analysis on your Desktop. Prefer uploading explicit files instead of giving broad local paths, and avoid using it on confidential papers unless you understand where outputs and temporary files may be stored.

Publisher note

Academic Results reverse-engineering skill for psychology papers. Analyzes published Results sections using 9 adaptive branches (A–I) covering experiments, surveys, RCTs, psychometrics, meta-analyses, fMRI/EEG, qualitative studies, and simulations. No real paper data is included. tests/ excluded via .clawhubignore. Output is analytical decomposition, never reproduction of source text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The template instructs the agent to run a local shell command (`pdftotext`) on user-supplied PDF inputs, which expands the skill from text analysis into code/execution territory. This creates command-execution and local-file handling risk, especially if paths or filenames are attacker-controlled or if the runtime has access to sensitive local data.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill explicitly tells the agent to access PDFs via any local path on the user's machine, which authorizes arbitrary local file access beyond the stated purpose of reverse-engineering paper results. Even if intended for convenience, this widens the trust boundary and could be abused to read unintended local files or sensitive documents if path handling is insufficiently constrained.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs writing outputs to a fixed desktop directory and temporary paths without an explicit user-facing consent or confirmation step. That creates a real security and privacy risk because pasted paper content, PDFs, notes, and derived analyses may be persisted locally in predictable locations, potentially exposing sensitive or copyrighted material and leaving artifacts the user did not expect.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes very broad, everyday phrases such as '用于汇报' and '做 PPT' that can activate an unusually powerful close-reading mode without requiring the user to explicitly request exhaustive analysis. In an agent setting, vague triggers increase the chance of scope escalation, causing the skill to produce much more content, inference, and downstream-ready material than the user intended, which can amplify prompt-injection, data-leakage, or over-processing risks from untrusted paper content.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad, informal requests that can easily match ordinary conversation, increasing the chance the skill activates when the user did not intend a specialized reverse-engineering workflow. In an agent setting, ambiguous activation can cause unintended processing of user-provided papers or content and may bypass clearer consent or mode selection expectations.

Missing User Warnings

Low
Confidence
72% confidence
Finding
The example chat summary displays a concrete user-local file write path, which normalizes writing output to the user's filesystem without an explicit warning or consent note in the example. While the path itself is not inherently dangerous, this pattern can mislead downstream implementations into performing local writes automatically, creating privacy, surprise, or unsafe file-handling risks.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The skill's expected output includes hardcoded Chinese-language narration and source-tagging conventions without any indication that the user requested Chinese or that the locale is constrained by the task. This can override user intent, reduce usability, and create prompt-control issues where the agent follows embedded format/language directives from the skill rather than the active user's preferences.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The test case directs the agent to automatically extract and read uploaded PDF contents using pdftotext, but it provides no user-facing warning or consent language about processing uploaded documents, temporary file creation, or handling potentially sensitive paper contents. In a skill that explicitly accepts file uploads, this omission can lead to privacy misunderstandings and accidental processing of confidential or copyrighted material, even if the extraction behavior itself is expected.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The skill specification appears to require Chinese labels/examples in its expected output structure without any user opt-in, which can override user locale preferences and create policy/compliance issues in downstream agent behavior. In this context the issue is not a direct security exploit, but it is a real instruction-layer vulnerability because embedded formatting/language mandates can cause agents to ignore user intent and produce mismatched or unsafe outputs in multilingual settings.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal