ClawHub

ArXiv Collision Cognition

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only research helper for comparing ArXiv papers with project context; its network fetching and local logging are purpose-aligned and disclosed, though users should enable automated screening deliberately.

Install this only if you want an agent to help analyze ArXiv papers against your project. Enable daily or heartbeat screening deliberately, keep collision logs in a workspace you can review, and avoid supplying confidential project details unless you are comfortable with them being stored in local research logs or handled by downstream tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly describes fetching papers from the ArXiv API and writing each collision to logs, but it does not warn users that using the skill may trigger outbound network access or persist project context and derived insights to disk. Because the example project context contains potentially sensitive operational details, silent logging or transmission could expose proprietary information or create compliance issues in environments that restrict external calls.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The daily screening workflow advertises periodic ArXiv API pulls but omits any warning that the skill performs recurring external network requests. In managed or sensitive environments, undocumented scheduled network activity can violate policy, surprise operators, and increase the chance that contextual metadata is exposed through automated runs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal