ClawHub

botlearn-academic-search

Security checks across malware telemetry and agentic risk

Overview

This is a coherent academic-paper search helper that uses external scholarly search services as expected and shows no hidden access, persistence, or destructive behavior.

Reasonable to install if you want academic paper discovery and citation synthesis. Be aware that your research queries may be sent to arXiv, Semantic Scholar, Google Scholar, and the google-search helper dependency; avoid entering confidential or unpublished research details unless that is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list contains broad, common terms such as "research," "cite," and "scholar," which can cause the skill to activate in contexts where the user did not explicitly request academic literature search. Unintended activation is risky because this skill performs multi-step search, ranking, and synthesis behavior and may override a more appropriate skill or cause unnecessary external lookups.

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
87% confidence
Finding
The trigger phrase 'find papers' begins with the generic verb 'find', which can conflict with a built-in command namespace and cause the skill to be invoked unexpectedly or to shadow an existing command. Even though the skill file has no substantive content, trigger-level ambiguity can still misroute user requests, create unreliable behavior, or let the skill intercept prompts intended for safer/default functionality.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal