ClawHub

Paper Management System

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PDF paper manager, but its optional notification feature can execute shell commands built from PDF-derived text, so it needs careful review before installation.

Install only in a dedicated papers/downloads workspace with backups. Leave notifications disabled unless you fully trust the PDFs and the configured command, and prefer replacing the shell-based notification with a fixed, argument-based adapter. Treat the SQLite database as sensitive because it may store extracted full text from private or unpublished papers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 执行外部通知命令
    try:
        cmd = f'{notify_cmd} "{title}" "{message[:1500]}"'
        result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
        if result.returncode == 0:
            print(f"✓ 通知已发送")
            return True
Confidence
99% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and instructs use of environment variables, filesystem access, database writes, and shell/cron execution, but it does not declare any permissions. This creates a transparency and governance gap: users and platforms cannot accurately assess what access the skill requires, increasing the risk of overprivileged execution or unexpected file and environment exposure.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill includes a generic external command execution pathway for notifications, which is broader than necessary for paper summarization and materially increases attack surface. In this context, the feature can be abused to run arbitrary programs and exfiltrate sensitive paper content, making it more dangerous because the input includes untrusted document text.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README documents an automated workflow that moves files from downloads/ into papers/ and renames them, but it does not clearly warn users that the tool will modify files on disk. In a file-management skill, undocumented destructive or state-changing behavior can lead to accidental data loss, broken references, or processing of unintended files, especially when run unattended via cron.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises AI summarization and Feishu notifications without clearly disclosing that PDF content, summaries, metadata, or filenames may be sent to external services. Because this skill handles potentially sensitive research documents, missing disclosure increases the risk of unintentional data exfiltration and privacy or compliance violations when users enable these features.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill forwards summary content derived from full paper text to an external notification command without explicit user acknowledgement or data-classification checks. In a paper-management context, manuscripts may be unpublished, proprietary, or sensitive, so sending content to an arbitrary external command can cause unintended disclosure or downstream exfiltration.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script automatically deletes PDFs from the Downloads directory when their MD5 hash already exists in the database, without any confirmation, quarantine step, or user-visible safeguard. In a paper-management context this can cause unintended data loss, especially if the duplicate is the only remaining user-accessible copy, the database state is stale/corrupt, or MD5 collisions/logic errors misclassify a file as already indexed.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal