ClawHub

Smartlib Citation Checker Clawhub

Security checks across malware telemetry and agentic risk

Overview

This citation-checking skill is not malware, but it needs review because it stores a user email in shared skill config, sends reference content to an external service, consumes quota, and includes payment flows.

Install only if you are comfortable providing SmartLib gateway credentials, sending pasted references or manuscript citation text to SmartLib, sharing quota with smartlib-literature-search, and letting the skill persist your email in that other skill's config. Review payment prompts carefully and do not use it for confidential unpublished work unless the SmartLib data-handling terms meet your needs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill’s documented behavior extends from citation verification into commerce workflows: creating recharge orders, rendering payment QR pages, and polling payment status. That materially broadens the trust boundary and capability surface beyond the user’s expected task, increasing the risk of unintended financial actions, phishing-like UI behavior, or misuse if the skill is invoked in the wrong context.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill claims limited-use handling of user content, yet instructs the agent to persist the user’s email into another skill’s config.json for shared credentials. This is a real privacy and integrity issue because it creates durable storage and cross-skill data sharing without clear separation, undermining the stated privacy model and making the email available outside the immediate verification session.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill explicitly directs reading and modifying another skill’s config.json, which is unjustified cross-skill filesystem access for a citation-checking function. This breaks isolation boundaries between skills, enables unauthorized reuse or tampering with another skill’s state, and can lead to data leakage or privilege confusion if one skill is compromised or misused.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The privacy note says uploaded content is only used for the current verification and not stored, but earlier instructions require persisting the user’s email in shared configuration. That inconsistency is dangerous because it can mislead users about retention and data sharing, invalidating informed consent and masking actual persistent storage behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README states that citation data is live-verified through the SmartLib API, but it does not clearly warn users that pasted manuscript references or paper content may be transmitted to an external service. In this context, users may submit unpublished or sensitive academic material, so lack of explicit disclosure undermines informed consent and can cause unintended data exposure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README discloses automatic account registration and shared credentials/quota, but it does not present this as a clear user-facing warning or consent boundary. Automatic creation of an external account and consumption of shared quota can surprise users, create privacy/compliance issues, and make attribution or billing behavior unclear.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger list includes broad natural-language phrases such as generic reference-checking requests, which raises the chance of accidental or overly broad invocation. In this skill, unintended invocation is more concerning because the workflow can progress into registration, quota consumption, and even recharge flows, amplifying the consequences of a false trigger.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal