ClawHub

Ai Paper Survey

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a disclosed AI paper-survey workflow that reads local research-topic files, searches alphaXiv, runs a separate analyzer, and writes a Markdown report.

Install only if you want a structured alphaXiv/arXiv paper-survey assistant. Run it in a workspace where matching research keyword files are intended, review the separate paper-impact-analyzer before use, and confirm where the generated report will be saved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The manifest description is very broadly scoped ('survey recent papers', 'literature review', 'find what's new') and can match many ordinary research-assistance prompts without clear constraints. In an agentic environment, this can cause unintended skill activation, leading the agent to perform multi-step searches, reads, analysis, and file writes when the user may have only wanted a simple answer.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The 'When to Use' examples are written as broad natural-language requests that overlap heavily with common academic or general knowledge queries. This increases the chance the orchestrator invokes the skill for routine questions, expanding tool usage and side effects beyond user intent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill directs the agent to save a report to the working directory without requiring user confirmation or clearly disclosing that a file will be created. Silent filesystem writes are a meaningful side effect: they can surprise users, overwrite expected outputs, leak sensitive research topics into local storage, or violate least-surprise and consent expectations.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill description uses broad phrases like literature review, find what's new, and track progress in AI subfields, which can cause the skill to be auto-selected for loosely related research requests. Over-broad triggering increases the chance of unintended tool use and downstream file writes or external searches without the user explicitly asking for this workflow.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The 'When to Use' section includes natural-language examples that are broad and overlap with many ordinary research questions. In an agentic environment, this can lead to accidental invocation of a multi-step workflow that reads local files, queries external tools, and writes output, even when the user may have wanted a lighter-weight response.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The skill instructs the agent to save a Markdown report to the working directory without any explicit user notice or confirmation. Unannounced file creation can surprise users, overwrite expectations about workspace state, and is riskier here because the skill may be triggered by broad prompts.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal