ClawHub

Clarity Submit

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for Clarity Protocol submissions, but its broad trigger wording could submit private research details externally without a clearly required confirmation step.

Install only if you intend the agent to submit hypothesis details to Clarity Protocol. Review each submission first, avoid confidential unpublished rationale unless you want it sent to the service, and prefer a scoped Clarity write key if available.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill requires both network access and an environment secret (CLARITY_WRITE_KEY) yet does not declare permissions explicitly. This creates a trust and review gap: an agent or user may invoke a skill that can exfiltrate user research content to an external service and use stored credentials without clear consent boundaries.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The invocation text uses broad phrases such as proposing a variant, investigating a mutation, or queueing a fold, which can overlap with ordinary research-assistance requests. In an agent setting, that ambiguity can cause accidental triggering of a write-capable action that submits data externally instead of merely discussing or analyzing it locally.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes submission functionality but does not clearly warn that the user's protein hypothesis, rationale, and optional wallet information are transmitted to an external third-party service. This omission increases the risk of unintended disclosure of sensitive or unpublished research data, especially in scientific workflows where hypothesis confidentiality may matter.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal