ClawHub

Scientific Inquiry

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed research-workflow skill; it has some sensitive persistence and network-use features, but they are visible, purpose-aligned, and gated enough for normal use.

Install only if you want a formal research workflow that may search external public sources after you approve a plan. Do not include secrets in research queries, and only approve memory or skill updates when you intentionally want future behavior changed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill promises no retrieval before explicit user confirmation, but later instructs the agent to perform baseline searches, search-engine diagnostics, and network tests beforehand. This contradiction weakens the safety boundary, making it easier for the agent to perform unapproved external actions and leak user intent or query content before consent.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
A scientific inquiry skill does not need persistent memory writes or self-modification to answer research questions, yet this file authorizes both. Any capability to alter memory or the skill itself expands the attack surface for prompt injection, persistence of malicious instructions, and corruption of future behavior beyond the current session.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The workflow explicitly authorizes shell-based `curl` requests to search engines and arbitrary HTTP targets for diagnostics. This exceeds normal research behavior and creates unnecessary risk of network misuse, access to unintended endpoints, and bypass of safer platform search tools and policy controls.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The security notice claims self-modification is only allowed on explicit user command, but the documented default behavior still performs automatic memory writes when users provide feedback. This is a persistence mechanism that can store adversarial or low-quality instructions without a strong consent boundary, undermining the stated safeguard.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger conditions include broad terms like 'research', 'investigate', 'look into', 'analyze', and 'check', which can match many ordinary requests. Overbroad activation increases the chance that this skill runs unexpectedly, bringing along its risky behaviors such as persistence and external retrieval in contexts where they were not intended.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal