ClawHub

AI Deep Learning Methodology

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only research workflow for learning a field with papers and AI tools, with no code or hidden install behavior found.

Install only if you want a structured research methodology. Before using it, avoid uploading confidential, proprietary, personal, regulated, or paywalled materials to third-party AI/RAG services unless you have permission and understand those services' data policies. Keep the workflow user-approved, especially for downloading full texts, uploading documents, or saving a personal knowledge base.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are broad enough to match many ordinary research or learning requests, which can cause the skill to activate outside the user's clear intent. In this skill's context, that matters because activation may steer users into a prescribed workflow involving external tools, document uploads, and multi-agent actions without an explicit opt-in at the moment of use.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs users to upload documents to NotebookLM or similar RAG tools and to use multiple third-party AI services, but it does not warn about privacy, confidentiality, data retention, or jurisdictional risks. This is dangerous because users may upload sensitive papers, internal documents, or proprietary research to external services without informed consent or understanding where that data will be processed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal