ClawHub

Paper Research Agent

Security checks across malware telemetry and agentic risk

Overview

This is a coherent paper-research skill, but it can silently change the Python environment and launch many parallel agents without strong user-controlled limits.

Install only if you are comfortable with an autonomous workflow that downloads papers, writes local research folders, may install Python packages, and may spawn many analysis agents. Prefer running it in an isolated environment, preinstalling or pinning dependencies yourself, setting a small paper count/concurrency limit, and reviewing generated tasks before agent execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            __import__(dep)
        except ImportError:
            subprocess.run([sys.executable, '-m', 'pip', 'install', dep, '-q'])

ensure_deps()
Confidence
95% confidence
Finding
subprocess.run([sys.executable, '-m', 'pip', 'install', dep, '-q'])

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to launch a local Python script via subprocess, which expands the capability from paper analysis into arbitrary code execution on the host. In this context, the subprocess is parameterized by user-driven input and runs from a local path, so compromise of the script or abuse of the invocation chain could lead to unintended system actions beyond the user’s expected research task.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Auto-installing Python packages is not necessary for the core logic of searching and downloading papers during a normal skill invocation, and it silently performs an external side effect. In an autonomous agent setting this is more dangerous because it allows unannounced environment mutation and introduces supply-chain exposure whenever the skill is run.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly promises automatic PDF downloads and creation of a local research_output directory, but does not warn users that invoking the skill will perform network access and write potentially many files to disk. In an autonomous agent setting, undisclosed side effects matter because a simple natural-language trigger could cause unexpected external requests, storage consumption, and persistence of downloaded content without informed user consent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The workflow automates PDF downloads and local file creation without warning the user, which undermines informed consent and can create unwanted network traffic, storage usage, and potentially unsafe file handling. In a skill that may activate from broad research prompts, silent downloading makes the behavior more dangerous because users may not realize external content is being fetched and persisted locally.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill automatically spawns multiple parallel sub-agents without disclosing that behavior to the user, which can amplify resource consumption, increase attack surface, and multiply the effect of prompt/data injection from downloaded content. Parallel autonomous execution is materially riskier than a single analysis pass, especially when each agent reads untrusted PDFs and produces downstream outputs.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Running pip automatically and silently is dangerous because package installation executes trust-sensitive logic and changes the host environment without prior warning or consent. In this skill context, which may run autonomously on user systems, the lack of confirmation makes the behavior more concerning than in a manual setup tool.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal