ClawHub

Running R Analysis In Existing Projects

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only R project helper whose file editing, report rendering, and package installation risks are disclosed and fit the stated purpose.

Install this only for R projects where you are comfortable letting the agent edit files, run project code, regenerate reports, and possibly install R packages. Use version control or backups, review diffs before accepting changes, and be especially careful running or rendering projects from sources you do not trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly describes re-running analyses, regenerating figures, and re-rendering reports, which implies broad modification of project files and derived outputs, but it does not warn users that invoking the skill will change artifacts in-place. In an existing research or production analysis project, silent modification can overwrite results, invalidate reproducibility, or cause users to trust altered outputs they did not expect to be changed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README states that the skill detects and installs missing packages, including from CRAN and Bioconductor, without warning that it may alter the user's R environment and install software. Environment mutation can change dependency state, break reproducibility, trigger unreviewed network activity, and introduce supply-chain risk if users do not explicitly consent to package installation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly instructs the agent to recompute results, overwrite outputs, and re-render reports inside an existing project, but it does not require user confirmation, dry-run behavior, backups, or any warning that files will be modified. In a real project this can cause unintended destruction of prior results, loss of reproducibility artifacts, or silent alteration of reports and analysis outputs, especially when the user expected inspection or debugging rather than write actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal