ClawHub

Auto Research Pipeline

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed research automation pipeline, but it asks the agent to run generated code, send research summaries externally, and persist lessons with controls that are not clearly scoped.

Install only if you are comfortable with an automated research workflow that can write many local artifacts, call external literature services and LLMs, send summaries to Feishu, remember run lessons, and execute generated Python. Use it on non-sensitive topics, review generated code before Phase E, disable or avoid Feishu notifications unless explicitly approved, and run experiments in a real sandbox with no secrets and limited filesystem/network access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill orchestrates subprocesses, reads and writes files under the workspace, uses networked literature search, and references environment-derived paths, yet no explicit permissions are declared. That mismatch weakens review and consent boundaries: users or policy layers may not realize the skill can access local files, persist artifacts, and reach external services.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill loads prior 'lessons' from memory and later writes new run details back into persistent memory, which extends beyond ephemeral research generation into long-term retention. This can accumulate sensitive prompts, topics, failures, or environment details across runs without clear user consent or data-minimization controls.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
Feishu notifications are an external communication channel that can transmit run summaries and metadata outside the immediate agent-user interaction. In a research workflow, those summaries may include unpublished topics, experimental results, or internal operational details, creating an unintended data exfiltration path if not explicitly disclosed and controlled.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The workflow states that generated experiment code will be executed, which turns model-produced artifacts into runnable code with access to the local environment. This is a classic high-risk boundary crossing: prompt-influenced or malformed code can read files, alter artifacts, consume resources, or reach the network if execution is not sandboxed.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This phase goes beyond passive research design and explicitly instructs execution of generated Python for syntax checking and optional runtime validation. Because the code is LLM-generated from prior untrusted artifacts, even 'validation' execution creates a code-execution sink that can run adversarial payloads, trigger filesystem access, or abuse available resources. The skill context increases risk because the pipeline is explicitly autonomous and file-driven across stages, so poisoned earlier-stage content can propagate into executable code.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This stage explicitly runs generated Python code via shell execution, which creates an arbitrary code execution path from research artifacts into the local environment. Although the document mentions a sandbox, the controls are underspecified and rely on policy statements rather than enforceable isolation, making filesystem abuse, resource exhaustion, and sandbox escape attempts realistic risks.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The file claims writes are restricted to the experiment directory, but the procedure copies and executes code from /tmp/researchclaw_sandbox, which broadens the actual write surface and weakens operator assumptions about confinement. This kind of documentation/implementation mismatch is dangerous because users and downstream agents may trust a boundary that does not really exist.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This stage expands the skill from a file/LLM-only pipeline into active external network access via web_search/web_fetch. That changes the trust boundary and can expose sensitive citation data, enable unintended outbound requests, and violate deployment assumptions or sandbox policies if the skill was expected to remain native/local-only.

Vague Triggers

Medium
Confidence
74% confidence
Finding
The trigger list includes broad phrases such as '写论文' and '文献调研', which are common requests and may activate the full automation pipeline when a user intended a narrower task. Because this skill performs multi-stage file, network, and sub-agent actions, accidental activation increases the chance of unnecessary data handling and side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs pushing a Chinese summary to Feishu without any consent, disclosure, data-minimization guidance, or restriction on what may be sent. Because research topics and generated summaries may contain sensitive business, personal, or unpublished research information, automatic transmission to an external messaging platform creates a real privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Sending evaluation feedback and refinement guidance to Feishu extends the same external-sharing risk to potentially sensitive strategic assessments about a user’s research direction. Even though the content may seem low risk, it can reveal internal priorities, unpublished ideas, or proprietary plans, and the skill provides no warning or consent mechanism.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This second Feishu push again causes external disclosure of generated research content without any user-facing warning or policy guardrail. In the context of an automated 23-stage pipeline, repeated automatic notifications increase the chance of unintended leakage and make the behavior more dangerous because sensitive material can be propagated multiple times across stages.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This phase explicitly aggregates up to 24 knowledge-card files and sends the merged content to an LLM, and later sends the synthesized document through four more LLM calls. If those cards or syntheses contain proprietary notes, unpublished research ideas, internal data, or personal information, the pipeline can exfiltrate sensitive material to an external model provider without user awareness or consent. The multi-stage research context increases exposure because intermediate outputs are repeatedly forwarded downstream.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs code execution and persistent result writing without any clear user-facing warning or consent step, even though these operations are materially impactful. In a research workflow, generated experiment code may be untrusted, so silently executing it increases the chance of users triggering dangerous behavior they did not knowingly authorize.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The refinement loop sends stdout, stderr, and the original code to an LLM, which may expose sensitive source code, secrets printed in logs, file paths, or dataset details to a third-party model service. Because this occurs automatically during iterative repair, the data-sharing risk is amplified and may happen repeatedly across up to 10 rounds.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal