ClawHub

Clarity Analyze

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward client for sending user-chosen protein research questions to Clarity Protocol, with external processing and API-key use disclosed.

Install only if you are comfortable sending research questions, variant IDs, focus terms, and any additional context to clarityprotocol.io for server-side AI analysis. Use a dedicated Clarity API key where possible, and avoid submitting confidential or unpublished research unless that data sharing is approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares that it requires internet access and a write API key, but there is no explicit permissions declaration to make those capabilities visible to policy or review systems. Hidden or undeclared access to environment variables and network egress can lead to unintended secret use and external data transmission without adequate operator awareness.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The invocation description is broad enough to match generic research or analysis requests, increasing the chance that the skill is auto-invoked in situations where the user did not intend external transmission. Because this skill sends prompts to a third-party service and uses server-side AI processing, overbroad triggering can expose sensitive research content or user queries unnecessarily.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation mentions internet access and that analysis uses Claude server-side, but it does not clearly warn users at the point of use that their research questions will be transmitted to an external service for remote processing. This weak transparency can cause accidental disclosure of proprietary, unpublished, or sensitive biomedical research prompts to a third party.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal