ClawHub
Back to skill

Security audit

deep-research skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed structured research workflow that runs a local helper script and saves reports, with no evidence of hidden, destructive, credential-stealing, or exfiltration behavior.

Review the orchestrator before use, expect it to run bash and write local session/report files, set DEEP_RESEARCH_REPORTS_DIR if you want reports stored elsewhere, and avoid confidential topics unless you trust the configured search, fetch, chat, and any Feishu delivery tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill instructs the agent to run a shell script and describes behavior that includes creating session/state files, but the skill metadata does not declare corresponding permissions or clearly scope those capabilities. This mismatch is dangerous because it hides write-side effects from policy and user review, making unintended filesystem changes easier to trigger without transparent authorization.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to execute a local shell command (`bash orchestrator.sh --complete s0 --next s1`) even though this step only concerns collecting and confirming research scope with the user. Allowing shell execution expands the skill from conversational orchestration into host-level action, which can be abused if the orchestration script or its arguments are altered, or if the environment treats such commands as trusted control signals.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The step instructs the agent to execute a local shell command (`bash orchestrator.sh --complete s4 --next s5`) that is not necessary for the content-fetching objective itself and crosses from research workflow guidance into host-level command execution. In an agent setting, any embedded shell execution increases the attack surface because it can trigger unintended local actions, be repurposed if the script or arguments are modified, and normalize unsafe command execution from untrusted skill content.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README instructs users to run a shell orchestrator automatically for research tasks, but does not warn that this executes local code and may create files under a reports directory. In an agent-skill context, normalizing implicit shell execution without explicit consent or side-effect disclosure increases the chance that an agent or operator runs unreviewed code and writes artifacts unexpectedly.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger condition is broad enough to match many ordinary requests such as research, analysis, or market questions, which can cause the skill to activate in contexts where the user did not intend a multi-step orchestrated workflow with command execution. In this skill, that broad trigger is more dangerous because activation leads directly to mandatory shell-script use and stateful side effects.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill mandates immediate execution of `bash orchestrator.sh "[调研主题]"` and later shell commands, yet it does not provide a clear user-facing warning describing that commands will run, files will be created, and system state may change. This is dangerous because the skill content is adversarial by default, and mandatory shell execution creates a direct path to command execution and filesystem modification without informed consent or safety review.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill mandates bilingual Chinese/English keyword generation before proceeding, without considering the user's language preference or whether bilingual output is necessary for the task. This can cause unnecessary disclosure, broaden queries beyond user intent, and degrade safety or privacy posture by forcing extra search surface and outputs the user did not request.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The validation checklist enforces Chinese/English bilingual keywords as a blocking criterion, meaning the agent cannot continue unless it expands the search into both languages. In a deep-research skill, this rigid rule can systematically override user preferences, increase collection of irrelevant or sensitive material, and create unnecessary exposure to broader sources.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill content is entirely written to require Chinese-language output and does not provide any user-choice mechanism or documented operational need for that restriction. In a general-purpose research skill, forcing a single language can degrade usability, cause misunderstanding of user intent, and create safety/compliance issues if users expect outputs in another language or need multilingual source handling.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The step explicitly instructs the agent to save a generated report to a local path, but it provides no requirement to inform the user, obtain consent, or clarify where potentially sensitive research content will be persisted. In a deep-research skill, reports may contain proprietary business analysis, internal notes, or sensitive user-provided context, so silent file writes create data handling and privacy risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs sending the executive summary and core conclusions through Feishu or the current chat without any privacy warning, recipient validation, or data classification check. Because this skill is designed for commercial decision-grade research, the summary may contain confidential competitive intelligence, strategy recommendations, or user-sensitive inputs, making silent transmission to external channels a meaningful data leakage risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal