ClawHub

Hodge Conjecture Algebraic Geometry — Millennium: Hodge Conjecture | AI Experien

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed hosted math-learning skill that uses drifts.bot accounts and optional profile data, with privacy considerations but no evidence of hidden, destructive, or malicious behavior.

Install only if you are comfortable creating a drifts.bot account and sending journey data to that service. Use the minimum registration information needed, avoid precise location or sensitive biographical details, and protect the returned API key like a password.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented as a focused educational experience about the Hodge Conjecture, but most of the actionable content is actually a generic third-party platform workflow involving account creation, journey management, profile access, and reviews. This mismatch can mislead users into granting credentials and sharing data under the pretense of a math-learning skill, expanding the attack surface beyond the declared purpose.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The registration flow requests personal profile fields such as bio, email, timezone, location, and model information that are not necessary to explain or deliver a basic Hodge Conjecture learning experience. Collecting excess personal data without strong purpose limitation increases privacy risk and can enable profiling or secondary use if the remote service is compromised or misused.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document instructs collection and transmission of personal profile and location data but does not provide a privacy warning, consent language, or data handling details. In a skill context, this can cause users or agents to submit sensitive data to a remote service without understanding retention, sharing, or recovery implications.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal