ClawHub

arxivkb

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent local arXiv paper indexer, but its installer automatically changes the user environment and sets up recurring background ingestion with limited opt-in and removal guidance.

Install only if you are comfortable with Python package installation, an Ollama model download, local storage of arXiv PDFs/text/indexes, and a recurring daily ingest job. After installing, inspect or disable the user systemd timer or launchd plist if you want manual-only use, and check the actual data directory before running cleanup commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
Claiming the system is "100% local" is misleading because the documented workflow explicitly contacts the arXiv API and downloads PDFs over the network. Users may enable the skill in restricted or privacy-sensitive environments under a false assumption that no outbound network activity occurs.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The installer creates persistent OS-level scheduled tasks that will automatically run the project's CLI daily. This is dangerous because it establishes recurring execution and network activity beyond a one-time install, and the manifest description does not clearly disclose this persistence, reducing informed user consent.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The installer modifies the user's Python environment by installing packages and also pulls an external Ollama model, which introduces supply-chain and unexpected network side effects. These behaviors may be acceptable for an installer, but they should be explicitly disclosed because they alter the local environment and fetch executable/model artifacts from outside the repo.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that installation will create persistent local data, initialize a SQLite database, pull a model, and schedule a daily background cron/system service. Even though these actions may be legitimate for the tool, performing or encouraging persistent system changes without a prominent warning and explicit consent is risky because users may unknowingly enable ongoing background activity, resource consumption, and network access.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The ingestion docs describe the pipeline but do not clearly foreground the operational data flows and trust boundaries: PDFs are downloaded from arXiv, extracted text is processed locally, and content is sent to the local Ollama service for embeddings. In environments where localhost services are proxied, logged, or shared, this omission can lead to incorrect privacy assumptions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal