ClawHub

Arxiv Translate Email

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it embeds live-looking service credentials and uses under-scoped outbound messaging and background execution.

Install only if you trust the publisher and environment. Prefer a revised version that removes and rotates embedded secrets, uses user-provided scoped credentials, packages the queue and worker code, restricts attachments to generated PDFs, and makes cron plus QQ notifications explicit and user-controlled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documented QQ notification channel adds an additional unsolicited outbound communication path beyond the stated email-delivery purpose. Extra messaging channels increase the chance of privacy leakage, covert notification, or data exfiltration, especially when tied to automated background processing.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script hardcodes a real SMTP username, password, and sender address directly in source code, which exposes reusable email credentials to anyone with repository or artifact access. This enables unauthorized use of the mailbox for spam, impersonation, or exfiltration, and it expands the skill's effective power beyond simple document translation into independent outbound messaging using embedded secrets.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad enough to match ordinary requests about downloading or translating papers, which can cause the skill to activate unexpectedly. In a skill that sends email and issues outbound notifications, accidental invocation increases the likelihood of unintended external transmission and resource consumption.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill is designed to send translated papers to email and also mentions proactive QQ notifications, but does not describe a clear consent or privacy notice before data leaves the system. Because this workflow handles document content and recipient addresses, missing explicit outbound-data consent creates a meaningful privacy and exfiltration risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code sends email and optionally attaches a local PDF to an external recipient without any built-in confirmation, disclosure, or policy check at the point of transmission. In the context of a skill that downloads and translates papers, outbound email is expected, but the lack of explicit user-facing notice and validation still creates a real risk of unintended data exfiltration, misdelivery, or abuse if an attacker can influence the recipient or attachment path.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal