ClawHub

Deep Research Agent

Security checks across malware telemetry and agentic risk

Overview

This is a coherent deep-research skill that uses expected web search, LLM provider keys, sub-agents, and report writing, but users should understand the privacy, file-output, and dependency-management caveats.

Install only if you are comfortable sending research topics, URLs, and fetched page content to Tavily and your chosen LLM provider. Run the backend in a dedicated virtual environment or sandbox, monitor API usage and cost, and check generated /research_request.md and /final_report.md outputs for sensitive content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs use of environment variables for API keys and web/network-backed tooling, but it does not declare corresponding permissions. That mismatch can bypass expected review or consent mechanisms, making secret access and outbound requests less transparent to the host system and user. In a research agent that performs autonomous multi-step search, this increases risk because network and credential use are central to operation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly describes persistent file writing (e.g. read/write_file and /final_report.md output) but does not warn users that invoking the skill may modify local files. In an autonomous agent context, undocumented filesystem writes can surprise users, overwrite existing data, or create sensitive artifacts on disk, especially when sub-agents operate automatically.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises deep web research, Tavily-powered search, and multiple LLM backends, which implies that user prompts and fetched web content are sent to third-party services, but it does not disclose this data flow or associated privacy risks. For a research agent handling arbitrary user topics, omission of this warning can cause users to unintentionally transmit sensitive queries, proprietary text, or personal data to external providers.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger conditions are broad enough to match ordinary user requests such as generic 'research [X]' or comprehensive analysis prompts, which can cause the agent to invoke a powerful autonomous workflow unexpectedly. Because this skill performs multi-step web access and potentially delegated research, accidental triggering can lead to unnecessary external calls, cost, and execution of a more capable workflow than the user intended.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The markdown describes running a backend script that writes a report file to `/final_report.md`, but it does not clearly warn the user about local file creation or where outputs will be stored. Hidden or poorly disclosed file-writing behavior reduces user awareness and can cause unintended persistence of sensitive research topics or collected data on disk. In an autonomous research context, this is more concerning because generated reports may contain proprietary or sensitive information aggregated from multiple sources.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The function fetches arbitrary URLs returned from search and converts full page contents to markdown, which are then supplied to the research workflow and potentially onward to an external LLM. In a deep-research agent, this creates a real data-sharing and prompt-injection exposure surface because untrusted remote content is ingested and processed without any user-facing consent, content isolation, or filtering.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The system prompt instructs the agent to write files to fixed paths such as /research_request.md and /final_report.md without clear prior disclosure or path controls. In an autonomous agent context, silent filesystem modification is risky because users may not expect writes, the fixed absolute-style paths can overwrite existing files in some runtimes, and prompt-injected workflows may abuse file-writing behavior.

Unpinned Dependencies

Low
Category
Supply Chain
Content
deepagents>=0.1.0
langchain>=0.3.0
langchain-core>=0.3.0
langchain-anthropic>=0.3.0
Confidence
90% confidence
Finding
deepagents>=0.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
deepagents>=0.1.0
langchain>=0.3.0
langchain-core>=0.3.0
langchain-anthropic>=0.3.0
tavily-python>=0.5.0
Confidence
96% confidence
Finding
langchain>=0.3.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
deepagents>=0.1.0
langchain>=0.3.0
langchain-core>=0.3.0
langchain-anthropic>=0.3.0
tavily-python>=0.5.0
httpx>=0.27.0
Confidence
96% confidence
Finding
langchain-core>=0.3.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
deepagents>=0.1.0
langchain>=0.3.0
langchain-core>=0.3.0
langchain-anthropic>=0.3.0
tavily-python>=0.5.0
httpx>=0.27.0
markdownify>=0.13.0
Confidence
88% confidence
Finding
langchain-anthropic>=0.3.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
langchain>=0.3.0
langchain-core>=0.3.0
langchain-anthropic>=0.3.0
tavily-python>=0.5.0
httpx>=0.27.0
markdownify>=0.13.0
Confidence
83% confidence
Finding
tavily-python>=0.5.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
langchain-core>=0.3.0
langchain-anthropic>=0.3.0
tavily-python>=0.5.0
httpx>=0.27.0
markdownify>=0.13.0
Confidence
93% confidence
Finding
httpx>=0.27.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
langchain-anthropic>=0.3.0
tavily-python>=0.5.0
httpx>=0.27.0
markdownify>=0.13.0
Confidence
80% confidence
Finding
markdownify>=0.13.0

Known Vulnerable Dependency: langchain — 10 advisory(ies): CVE-2023-36258 (langchain arbitrary code execution vulnerability); CVE-2026-45134 (LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust); CVE-2024-2965 (Denial of service in langchain-community) +7 more

Critical
Category
Supply Chain
Confidence
94% confidence
Finding
langchain

Known Vulnerable Dependency: langchain-core — 10 advisory(ies): CVE-2026-26013 (LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_to); CVE-2024-10940 (langchain-core allows unauthorized users to read arbitrary files from the host f); CVE-2025-65106 (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templa) +7 more

Critical
Category
Supply Chain
Confidence
95% confidence
Finding
langchain-core

Known Vulnerable Dependency: httpx — 2 advisory(ies): CVE-2021-41945 (Improper Input Validation in httpx); CVE-2021-41945 (Encode OSS httpx <=1.0.0.beta0 is affected by improper input validation in `http)

Critical
Category
Supply Chain
Confidence
78% confidence
Finding
httpx

Known Vulnerable Dependency: markdownify — 1 advisory(ies): CVE-2025-46656 (markdownify allows large headline prefixes such as <h9999999>, which causes memo)

Low
Category
Supply Chain
Confidence
71% confidence
Finding
markdownify

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal