ClawHub

Scholar Research

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: searches academic sources, scores papers, and optionally handles PDFs, with no evidence of hidden persistence, credential theft, or unrelated system access.

Install only from the reviewed artifact or a verified repository. Avoid using it for confidential research topics unless you are comfortable sending queries and metadata to academic APIs, and run PDF download or figure extraction in a constrained environment when processing files from unknown sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill explicitly describes downloading metadata and PDFs from many remote sources, allows user-configured custom sources, and lists dependencies consistent with network access and document processing, yet no permissions are declared. That mismatch is a real security issue because it hides material capabilities from users and reviewers, reducing informed consent and making it easier for network/file/shell-capable implementations to overreach beyond expected behavior.

Context-Inappropriate Capability

Medium
Confidence
79% confidence
Finding
The module invokes an external PDF-processing binary on potentially untrusted input files. While the Python call is not command-injection-prone, parsers like pdftotext have historically had memory-safety and malformed-file issues, so processing attacker-controlled PDFs can expose the host environment to parser exploits or denial of service.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
This code sends untrusted PDFs to pdfimages, an external parser, and then trusts the extraction side effects in the output directory. The danger is not shell injection but exposure to parser vulnerabilities, resource exhaustion, or unexpected file generation behavior when handling maliciously crafted PDF content.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill accepts user-configured external sources and states it will download PDFs and process content, but it does not warn users about the risks of contacting arbitrary repositories or handling untrusted documents. In context, this is more dangerous because academic-paper workflows commonly fetch remote files at scale, which can expose systems to SSRF-like access to internal endpoints, malicious PDFs, excessive resource use, or privacy leakage through outbound requests.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code transmits a user-supplied author name to the OpenAlex API without any visible consent, notice, or control in this module. While author names are often public, they can still be sensitive in some research workflows, and sending them to a third party creates a privacy and metadata-leak risk about what the user is investigating.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code sends the provided journal name to CrossRef without any user-facing warning or privacy control in this file. This exposes user research interests and query metadata to an external service, which is a real concern in a scholar-research skill where search terms may reflect confidential projects or unpublished work.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
User search terms are sent to third-party academic APIs, which can expose sensitive research topics, proprietary interests, or personal/medical queries to external services. In a research skill, this behavior is expected, but the absence of clear disclosure, consent, or configurable restrictions creates a real privacy risk rather than a code-execution flaw.

External Transmission

Medium
Category
Data Exfiltration
Content
def get_author_info(self, author_name: str) -> Dict:
        """Get author info from OpenAlex"""
        try:
            url = f"https://api.openalex.org/authors?search={author_name}&per_page=1"
            response = requests.get(url, timeout=10)
            data = response.json()
Confidence
82% confidence
Finding
https://api.openalex.org/

External Transmission

Medium
Category
Data Exfiltration
Content
def get_journal_info(self, journal_name: str) -> Dict:
        """Get journal info from CrossRef"""
        try:
            url = f"https://api.crossref.org/journals/{journal_name}"
            response = requests.get(url, timeout=10)
            data = response.json()
Confidence
80% confidence
Finding
https://api.crossref.org/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal