ClawHub

Research skill

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only academic paper drafting skill whose local reading, LaTeX file creation, compilation command, and citation search are disclosed and fit its purpose.

Install is reasonable if you want a research paper drafting helper. Use a narrow project directory, set a clear output path, review generated files before compiling, and avoid WebSearch or provide sanitized search terms when working with private or unpublished research.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly indicates it will generate LaTeX files, write them to disk, and use Bash to compile the document, but it does not clearly disclose these side effects or require explicit user confirmation before file creation and shell execution. In an agent setting, undisclosed writes and command execution can surprise users, overwrite files, or trigger unsafe compilation behavior if project content or generated LaTeX is untrusted.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states it will read project code, experiment results, and references, and may use WebSearch for related papers, but it does not warn that sensitive source code, unpublished results, or metadata could be exposed through broad project scanning or external queries. This is dangerous because users may invoke the skill on private research repositories without understanding that internal information could be processed more widely than expected.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal