ClawHub

Chemistry Query

Security checks across malware telemetry and agentic risk

Overview

The skill mostly performs chemistry lookups and RDKit analysis as described, but its included Gradio UI publicly shares local processing by default and some external dependency/data-flow behavior needs review.

Review before installing if you may handle confidential chemistry data. Use it only with compound names or SMILES you are comfortable sending to public chemistry services, avoid running chem_ui.py as-is unless public sharing is disabled or authenticated, and verify any manually installed OPSIN JAR before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
warnings.append(proc.stderr.strip())

        # Draw
        proc = subprocess.run(
            [sys.executable, os.path.join(script_dir, 'rdkit_mol.py'),
             '--smiles', canonical_smiles, '--action', 'draw', '--output', png_path],
            cwd=script_dir, capture_output=True, text=True, timeout=30)
Confidence
83% confidence
Finding
proc = subprocess.run( [sys.executable, os.path.join(script_dir, 'rdkit_mol.py'), '--smiles', canonical_smiles, '--action', 'draw', '--output', png_path],

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and invokes shell execution, network access, and file writing without declaring permissions, which weakens reviewability and sandbox policy enforcement. In an agent environment, undeclared capabilities can enable unintended outbound requests, filesystem changes, or command execution paths that operators did not explicitly approve.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented purpose understates the actual capability set by omitting ChEMBL, PubMed, OPSIN/Java, and ADMET-related behaviors, creating a trust and governance gap. Hidden or undocumented functionality is dangerous because reviewers may allow a chemistry lookup skill while unknowingly granting broader network access, additional execution dependencies, and potentially sensitive analysis workflows.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Launching Gradio with share=True exposes the interface through a public reverse tunnel, which can make this local chemistry tool reachable by untrusted external users. In this context the app accepts arbitrary input and triggers multiple local scripts and file operations, increasing attack surface and potentially exposing the host, generated data, or expensive backend resources.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The script adds PubMed literature-search capability even though the skill metadata describes PubChem-focused chemistry queries and RDKit analysis. This undocumented expansion of data-source and capability scope can bypass user or platform expectations, increase attack surface, and enable retrieval of synthesis literature that is more sensitive in a chemistry context.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code persists visualization PNG files to disk automatically using user-influenced names and returns their paths, without any visible consent, retention policy, or warning. In an agent setting handling potentially sensitive research queries, this can create unintended data retention, disclosure to other users/processes, and forensic leakage of chemical interests or proprietary structures.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
When only a compound name is provided, the skill forwards that user-supplied name to a PubChem lookup flow without any visible disclosure or consent mechanism. In this chemistry context, names may reveal confidential compounds, targets, or internal research activity, so the privacy risk is heightened even though PubChem itself is a legitimate service.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
User-supplied compound names are forwarded to a PubChem lookup helper without any notice, consent gate, or local-only mode. In an agent setting, users may provide proprietary compounds, internal project codenames, or sensitive research targets, and this code can transmit that data to an external service unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal