ClawHub

Deep Research.Bak

Security checks across malware telemetry and agentic risk

Overview

This deep-research skill largely matches its stated purpose, but it keeps research data in multiple local locations and auto-opens generated HTML/PDF output, so users should review its side effects before installing.

Install only if you are comfortable with an autonomous research workflow that performs web searches, spawns sub-agents, writes files under Documents and ~/.claude/research_output, may verify citation URLs over the network, and auto-opens generated HTML/PDF files. Avoid using it for confidential research unless you change the workflow to choose an output folder, disable duplicate retention, require confirmation before continuation agents and browser opening, and sanitize generated HTML.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The continuation protocol instructs the agent to execute a local command (`python scripts/validate_report.py --report [path]`) even though the skill is framed as research and report generation, not code execution or local script operation. This expands the skill's authority into executing repository-local code, which could run attacker-modified scripts, trigger unintended side effects, or be abused for arbitrary code execution in the user's environment.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The methodology explicitly instructs the agent to invoke Bash to obtain the current date before conducting searches. Even though the command shown is simple, introducing shell execution into a research workflow expands the capability boundary from information retrieval into system interaction without clear necessity, creating avoidable risk and a precedent for broader command execution in downstream implementations.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The methodology tells the agent to install search-cli via a package manager and configure provider API keys, which is a systems-management and secret-handling capability not required for a normal research skill. If followed, this could cause unauthorized software installation, persistence of new tooling, and exposure or misuse of credentials, especially on enterprise endpoints or shared environments.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs persistent storage of citation state and report outputs to local disk as part of normal operation, even though durable local retention is not clearly necessary for answering a user’s research request. Persisting provenance data and generated content increases the chance of unintended data retention, exposure of sensitive research topics, and later access by other tools or users on the same system.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Saving an additional copy to ~/.claude/research_output/ creates undisclosed duplicate retention in an internal-looking directory that the user may not inspect or expect. This expands the data footprint, makes deletion harder, and can retain sensitive report contents beyond the user-visible output location.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The README explicitly states that reports are automatically saved to the user's Documents directory and that HTML output is auto-opened in a browser, but it does not clearly warn users about these side effects or indicate whether they are configurable. In a research skill that may process sensitive prompts or internal data, implicit filesystem writes and browser launches can expose confidential material locally, trigger unintended persistence, or surprise users in restricted environments.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases include broad, common-language requests such as 'comprehensive analysis,' 'compare X vs Y,' and 'analyze trends,' which can cause the skill to activate for many ordinary prompts. In context, that matters because activation leads to autonomous research behavior, network usage, and file generation, so unintended invocation can produce unexpected data access, network activity, or filesystem side effects.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill states that it will write multiple output files to ~/Documents/[Topic]_Research_[YYYYMMDD]/ and auto-open HTML/PDF, but the description does not warn users up front about these side effects. This is dangerous because users may invoke what appears to be a research workflow without realizing it will persist files locally and automatically open generated documents, which can expose sensitive topic names or create unwanted artifacts on shared systems.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The protocol directs the agent to append to a report file and later delete the continuation state file, but these filesystem modifications are presented as normal workflow steps without explicit user notice or consent boundaries. In an agent setting, silent write/delete behavior is risky because it can overwrite user content, tamper with files outside the immediate task, or normalize destructive actions through recursive continuation runs.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill directs filesystem writes under the user’s home directory without any user-facing warning, confirmation, or scope limitation. Silent creation of directories and files can surprise users, persist sensitive material locally, and violate least-surprise expectations for a research assistant.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The undisclosed extra save location is especially problematic because it is separate from the main report folder and framed as internal tracking. Users may believe they have only one copy of the report, while a second copy remains elsewhere, increasing privacy and retention risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This converter interpolates untrusted markdown content directly into HTML elements and also preserves preexisting HTML-looking lines, but it never escapes or sanitizes attacker-controlled text before emitting HTML. In a research/reporting skill that may process web-derived or user-supplied content, this can enable stored or reflected XSS, scriptable links, event handlers, or other active HTML injection when the generated report is viewed in a browser or embedded webview.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script automatically persists research state to ~/.claude/research_output after every phase, including the user query, findings, source metadata, and timestamps, without an explicit consent flow or warning. In an enterprise research context, queries and collected material may contain sensitive business topics, internal investigations, or regulated data, so silent local retention increases privacy and data exposure risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends user-supplied DOI values and arbitrary bibliography URLs to external services (doi.org and the cited host) during verification, but the CLI only mentions that internet is required and does not clearly warn that citation contents and destination URLs will be disclosed over the network. In an enterprise research workflow, bibliography entries may contain sensitive internal references, pre-release links, or tracking URLs, so this can cause unintended data leakage and outbound requests to untrusted hosts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal