ClawHub

Jason Academic Writing

Security checks across malware telemetry and agentic risk

Overview

The skill is a legitimate academic-writing helper, but it overstates its verification guarantees and sends sensitive manuscript content to external model/API services without clear consent controls.

Install only if you are comfortable sending research topics, citation metadata, evidence summaries, manuscript text, and revision content to the configured OpenAI-compatible provider and public literature APIs. Do not rely on its '100% integrity' or claim-verification language as proof that claims are supported; manually verify citations, statistics, PRISMA counts, registration IDs, and source support before using any generated manuscript.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and depends on environment variables, filesystem access, network access, and shell execution, but does not declare permissions or otherwise constrain those capabilities. This creates a trust and review gap: users and orchestration systems may invoke the skill without understanding that it can read/write files, call external APIs, and run commands, which increases the risk of unintended data exposure or unsafe execution.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The function claims to verify whether manuscript claims are supported by evidence, but it unconditionally marks extracted claims as `supported: True` and labels evidence as pending. In an academic-writing integrity tool, this creates a dangerous false assurance channel that can let unsupported or hallucinated claims pass as verified, undermining the tool's stated integrity guarantees.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill advertises integrity-oriented manuscript generation, citation verification, and anti-hallucination safeguards, but this file only sends evidence to an LLM and saves the generated output. There is no validation that claims are supported by the provided papers, no citation-to-source consistency check, and no enforcement that generated references or statistics actually exist in the evidence, so users may trust fabricated academic content as verified.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The prompts require precise PRISMA counts, registration IDs, effect sizes, confidence intervals, software versions, and quality distributions, but the code does not compute or retrieve these values from the evidence file. In practice, the model is incentivized to invent authoritative-looking research details when the data is absent, creating a high risk of fabricated methods/results in academic manuscripts.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The description includes broad trigger language such as general research-paper writing, citation verification, anti-hallucination checks, and review workflows, which could cause the skill to activate for common writing tasks beyond the author's intended scope. Over-broad activation can route unrelated user content into a workflow with network/file operations, increasing unnecessary exposure of sensitive drafts or research materials.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill describes API-backed literature and DOI verification but does not warn users that manuscript content, citations, or research topics may be transmitted to third-party services. In an academic-writing context, this can expose unpublished ideas, confidential data, or sensitive drafts to external providers without informed consent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends manuscript-derived citation queries to external services without explicit disclosure or consent. Even if only citation snippets or titles are transmitted, manuscript content in research workflows may be confidential, embargoed, or unpublished, so silent network transmission can leak sensitive information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends the user-provided research topic directly to the Semantic Scholar API, which can expose sensitive or unpublished research ideas to a third party. In an academic-writing skill, users may search proprietary, confidential, or embargoed topics, so silent external transmission creates a real privacy and data-governance risk even though it is expected functionality.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code sends the full manuscript to an external LLM service (`chat.completions.create`) without any explicit disclosure, consent gate, redaction step, or sensitivity check. In an academic-writing skill, manuscripts may contain unpublished research, confidential data, embargoed results, or proprietary text, so transmitting them off-box can cause confidentiality and compliance issues.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends manuscript text, which may contain unpublished research, proprietary data, personal data, or regulated content, to an external LLM service without an explicit user-facing consent or disclosure step. In an academic-writing skill, that context increases risk because manuscripts and reviewer feedback are often highly sensitive and confidentiality breaches can cause reputational, contractual, or publication harm.

Ssd 3

Medium
Confidence
97% confidence
Finding
The system forwards the manuscript verbatim to four separate reviewer agents, multiplying external exposure of user-supplied content. Because this skill is specifically for academic paper drafting and review, the data is likely to be sensitive, unpublished, and valuable; sending raw text to multiple agents increases confidentiality risk and broadens the disclosure surface.

Ssd 3

Medium
Confidence
93% confidence
Finding
The prompts explicitly ask reviewers to quote specific manuscript passages and section text, which encourages the model to reproduce sensitive source material in its outputs. Since those outputs are later stored and displayed, this increases the chance that confidential or unpublished manuscript content is unnecessarily replicated and exposed beyond the original input channel.

Ssd 3

Medium
Confidence
95% confidence
Finding
The code persists detailed reviewer outputs to `review_report.json`, and those outputs are derived from the manuscript and may contain quoted passages or sensitive summaries. This creates a durable local disclosure path: confidential research text may remain on disk longer than intended, be synced/backed up automatically, or be accessed by other users/processes on the system.

External Transmission

Medium
Category
Data Exfiltration
Content
**APIs used**:
- Semantic Scholar (`https://api.semanticscholar.org`)
- CrossRef DOI (`https://api.crossref.org/works/`)

### Stage 4: Review (5-Person Panel)
Confidence
88% confidence
Finding
https://api.crossref.org/

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal