ClawHub

Academic Writer

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims, but it should be used only in trusted LaTeX project folders because it can read, write, and compile local files.

Install only if you are comfortable with a skill that can read reference files, modify LaTeX project files, and run local LaTeX compilation. Use it in a dedicated project folder, avoid absolute or parent-directory paths unless intentional, keep backups or review diffs before overwrites, and do not compile templates or TeX files from untrusted sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        # -interaction=nonstopmode: 不因错误暂停
        # -pdf: 生成 PDF
        result = subprocess.run(
            ['latexmk', '-pdf', '-interaction=nonstopmode', main_file],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
Confidence
92% confidence
Finding
result = subprocess.run( ['latexmk', '-pdf', '-interaction=nonstopmode', main_file], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True,

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal