ClawHub

thesis-revision-editor

Security checks across malware telemetry and agentic risk

Overview

This instruction-only thesis editing skill does what it says: it reads user-provided thesis material and saves a revised copy without hidden network, credential, or destructive behavior.

Install only if you want the agent to read the thesis text or file path you provide and create a revised file. For sensitive or unpublished work, specify the exact output path, keep a backup, and review the revised copy before using it for submission.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to save revised content to disk by default, including creating files in the current working directory or adjacent to a user-supplied path, without requiring explicit user confirmation at write time. In an agent environment, implicit file writes can surprise users, create unwanted artifacts, and be abused to persist sensitive thesis content or modify local workspace state beyond what the user expected.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The default prompt is extremely broad: it asks the agent to review a complete thesis, revise it item by item, save the revised thesis, and explain every change, without defining clear user-confirmation boundaries or limiting when file-writing should occur. In a skill that may operate on full documents or file paths, this over-breadth increases the chance of unintended edits, over-collection of sensitive academic content, or execution in contexts the user did not narrowly authorize.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The manifest explicitly promises to 'save' a revised thesis but provides no warning that the skill may modify files or overwrite user content. In the context of thesis editing, users may supply large, high-value academic work via file path, so silent or insufficiently signposted write behavior can cause data loss, accidental overwrites, or unauthorized modification of important documents.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal