ClawHub

hxxra

Security checks across malware telemetry and agentic risk

Overview

This is a coherent research-paper assistant, but it uses external LLM and Zotero services when the user invokes those features.

Install only if you are comfortable using external academic, LLM, and Zotero services. Do not run analyze on confidential, unpublished, licensed, or personal PDFs unless the configured LLM provider and retention policy are acceptable. Use a dedicated workspace and avoid storing real API keys in shared config files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill includes a credentialed 'save' workflow that creates Zotero collections and uploads paper metadata to a third-party service. In a generic agent-skill context with no explicit consent or scoping guardrails, this is a real data-governance risk because local research data can be externally persisted and accounts modified.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code reads an API key and sends extracted PDF text and metadata to an external LLM service for analysis. This is dangerous because uploaded paper text may contain confidential or proprietary content, and the transmission occurs without a visible consent, redaction, or policy check in the execution path.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill retrieves Zotero credentials from config/environment and uses them to create collections and upload items remotely. In an agent setting, credentialed third-party modification is security-relevant because it can alter external accounts and export workflow data beyond the local environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The analyze command explicitly states it uses an LLM and requires an OpenAI-compatible API key, but the documentation does not warn users that PDF contents may be transmitted to an external service. This creates a real privacy and data-handling risk because users may analyze unpublished, proprietary, or sensitive papers under the assumption processing is local.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The save command sends paper metadata to the Zotero API, but the documentation does not clearly warn that this involves network transmission to a third-party service. While the data is typically less sensitive than full PDF content, users may still unknowingly upload reading lists, research interests, or unpublished metadata to an external account.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
PDF contents and metadata are sent to an external LLM API without any user-facing warning or disclosure in the code path. This creates a privacy and compliance risk because users may reasonably expect local document analysis, while the implementation actually exfiltrates document content to a remote provider.

Ssd 1

Medium
Confidence
88% confidence
Finding
The skill places extracted PDF text directly into the LLM prompt with no isolation or instruction-hierarchy hardening. Malicious or prompt-injected content embedded in a PDF can steer the model's output, causing manipulated analysis, data leakage in responses, or unsafe downstream decisions based on falsified summaries.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal