ClawHub

FactoriaGo

Security checks across malware telemetry and agentic risk

Overview

The skill appears aimed at academic revision support, but it repeatedly normalizes unsafe handling of account sessions and API keys that users should review before installing.

Install only if you need FactoriaGo account integration and are comfortable with the credential and manuscript-access risks. Do not paste API keys, passwords, or session cookies into chat or command-line arguments; prefer secure web settings, scoped tokens, and revocation. Before allowing file updates, require a diff or preview, keep manuscript backups or versions, and confirm exactly which project files the assistant may modify.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs use of environment variables for authentication cookies and handles sensitive credentials/API keys, but no explicit permissions declaration is present. This creates a transparency and governance gap: the skill can access or encourage handling of secrets without clear least-privilege signaling to users or the platform.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The stated purpose focuses on paper revision and resubmission support, but the documented behavior expands into credential collection, session-cookie acquisition, LLM API key management, and general chat/API access. That mismatch is dangerous because users may consent to a narrow academic-editing assistant while the skill actually enables broader account and secret-management actions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The guide explicitly tells users to give their AI provider API key to the assistant for configuration. Encouraging users to disclose long-lived secrets in conversational chat is dangerous because the key may be logged, exposed to plugins/tools, mishandled by the assistant, or reused beyond the intended scope. In this skill context, the risk is elevated because the assistant is positioned as an operator of an external platform, making users more likely to trust it with sensitive credentials.

Missing User Warnings

High
Confidence
98% confidence
Finding
The FAQ repeats the unsafe pattern of asking users to share a secret API key with the assistant, normalizing disclosure of credentials through chat. Repetition in a FAQ increases the chance users will view this as approved security practice, which can lead to credential compromise, account abuse, billing fraud, or unauthorized access to connected AI services.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The activation phrases include broad terms like paper revision, LaTeX editing, and reviewer response that can appear in many benign academic conversations. Over-broad triggers can cause unintended activation, leading the skill to solicit credentials, discuss external APIs, or steer users into networked workflows when they did not intend to invoke this integration.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The workflow instructs the agent to read, edit, and write LaTeX files back to the server, but it does not require confirmation, versioning, diff review, or backup before overwriting user content. In an agent-driven editing context, this can lead to accidental destructive changes, loss of manuscript content, or corruption of submission files, especially when edits are applied automatically from reviewer-task workflows.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script instructs users to pass email/password on the command line and export a live session cookie as an environment variable, both of which can be exposed through shell history, process listings, terminal logs, or shared session recordings. Because this skill manages authenticated academic projects, leaked credentials or session cookies could allow account takeover and access to manuscripts, reviewer comments, and project files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The set-llm-config command requires users to supply an API key directly on the command line and even includes examples with real secret formats, which risks exposure in shell history, process inspection, CI logs, and terminal telemetry. In this skill context, compromise of an LLM API key can lead to unauthorized billing, misuse of external AI services, and potential access to sensitive manuscript content sent through those providers.

Ssd 3

Medium
Confidence
95% confidence
Finding
This is a true security-design issue because the skill operational flow depends on users transmitting a sensitive credential directly to the assistant. Even if the backend later stores keys encrypted and masks them on return, the exposure already occurred at input time in the chat channel, where logging, prompt injection, accidental echoing, or tool-chain access may leak the secret.

Ssd 3

Medium
Confidence
95% confidence
Finding
The repeated FAQ guidance reinforces an insecure secret-handling pattern and teaches users to treat the assistant as a safe sink for credentials. In a skill that manages projects, files, and AI-powered workflows, that trust boundary confusion makes secret exfiltration more plausible and increases downstream compromise risk if the credential is reused elsewhere.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal