ClawHub

Smartlib Literature Search Clawhub

Security checks across malware telemetry and agentic risk

Overview

This literature-download skill is useful in concept, but it asks agents to auto-register users, persist and transmit email addresses, and use fallback download methods that may bypass publisher access controls.

Install only if you are comfortable with the skill contacting SmartLib services, storing your email locally, creating or using an external account/quota flow, and downloading files to disk. Do not use the CDP/browser-automation fallback to bypass publisher restrictions; keep retrieval to open-access or otherwise authorized sources and review output paths before batch downloads.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The troubleshooting guidance explicitly suggests deploying Chromium CDP as a long-term solution to bypass publisher anti-hotlinking. That moves the skill beyond legitimate literature retrieval into anti-access-control evasion, which can enable unauthorized downloading from protected publisher sites and materially increases abuse potential. In the context of an automated agent skill, this is more dangerous because it operationalizes the bypass at scale rather than leaving it as a manual edge case.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The usage examples automate downloading papers into a local output directory but provide no warning about filesystem side effects, naming collisions, storage consumption, or overwrite behavior. In an agent setting, silent file writes can surprise users, clobber existing files, or persist large numbers of documents without explicit consent, especially when batch and parallel modes are encouraged.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document instructs agents to invoke curl as a subprocess for fallback downloading without disclosing subprocess execution or external network access. Subprocess spawning broadens the attack surface and, if later combined with unsafely handled URLs or arguments, can lead to command execution risks, opaque network activity, and policy bypasses that users did not authorize.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README states that missing credentials will trigger automatic registration through an external gateway, but it does not clearly warn users that account creation and related data will be sent to third-party services. This creates a consent and privacy risk because users may unknowingly initiate external account provisioning and billing-related workflows simply by using the skill.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list is broad enough to activate on common phrases such as writing-help or literature-related requests that may not imply informed consent to registration, quota use, or remote API calls. In this skill, unintended invocation is more dangerous because activation can lead to collecting an email, writing it to local config, auto-registering a remote account, and steering the user into paid recharge flows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs storing the user's email in a local config file and sending it to a remote registration service, but this data-handling behavior is not clearly disclosed up front before collection. That creates a privacy and consent issue: users may trigger the skill expecting search only, while the skill persists personal data and provisions an external account automatically.

Ssd 4

Medium
Confidence
90% confidence
Finding
The download workflow normalizes escalating attempts to obtain full text through multiple channels, including browser automation against publisher sites and fallback handling for access-controlled content. In context, this raises legal/compliance and anti-circumvention risk, and could encourage automated interaction with publisher defenses or access restrictions beyond ordinary metadata retrieval.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal