ClawHub

ynu-papergraphgeneration-openclaw

Security checks across malware telemetry and agentic risk

Overview

This paper-diagram skill mostly matches its purpose, but one results-chart path can run generated Python code with the user's local permissions.

Install only if you trust the papers and providers used with it. Avoid confidential or unpublished manuscripts unless your API provider terms allow it, and do not use the results-chart code execution path outside a sandbox or without manually reviewing the generated Python first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f.write(code)

        import subprocess
        result = subprocess.run(
            ["python", code_path],
            capture_output=True,
            text=True,
Confidence
98% confidence
Finding
result = subprocess.run( ["python", code_path], capture_output=True, text=True, timeout=60, cwd=output_dir )

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This skill's stated purpose is chart generation, but the implementation crosses into arbitrary program execution by running generated Python. That gap materially increases risk because attacker-controlled content can be transformed into executable code under the guise of diagram creation.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The code writes executable content to disk and runs it, which is more privileged behavior than users would expect from a visualization/PDF-extraction skill. This expands the attack surface and can surprise users into granting execution capability to model-produced content without understanding the risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README describes sending user-provided paper content through OpenClaw and external image-generation services, but it does not warn users that uploaded paper text may leave the local environment and be processed by third parties. This creates a real privacy and confidentiality risk, especially for unpublished manuscripts, proprietary research, or embargoed content, because users may disclose sensitive material without informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Generated code is silently saved and executed without a warning, review step, or approval prompt. That makes prompt-injection-to-execution attacks much easier because the user is never given a chance to inspect or deny dangerous actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The scanner sends raw paper chunks directly to an externally supplied `llm_call_fn`, which can transmit sensitive manuscript content, unpublished research, personal data, or licensed text to a third party without any explicit notice or consent flow. In this skill, the whole purpose is scanning full papers, so the data exposure is systematic rather than incidental, which makes the privacy risk more credible.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The merge step retransmits aggregated findings derived from the paper back through `llm_call_fn`, creating a second disclosure path for extracted document content and summaries without warning. Although this payload may be smaller than the original paper chunk, it can still contain sensitive research details and compounds the original data-sharing risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly instructs users to pass paper text/PDF-derived content and API credentials to remote image-generation endpoints, but it does not clearly disclose that potentially unpublished or sensitive research content may be transmitted to third-party services. In a research workflow, this can cause unintended data exposure, confidentiality breaches, or policy violations, especially when users assume processing is local.

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
## 提取的信息
{extraction_result}
"""
    return prompt


def build_architecture_topology(extraction_result: str, style: str = "academic") -> str:
Confidence
97% confidence
Finding
return prompt

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
请直接输出 Mermaid 代码:
"""
    return prompt


def build_flowchart_topology(extraction_result: str, style: str = "academic") -> str:
Confidence
97% confidence
Finding
return prompt

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
请直接输出 Mermaid 代码:
"""
    return prompt


def build_environment_topology(extraction_result: str, style: str = "academic") -> str:
Confidence
97% confidence
Finding
return prompt

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
请直接输出 Mermaid 代码:
"""
    return prompt


def convert_to_topology(figure_type: str, extraction_result: str, style: str = "academic") -> str:
Confidence
97% confidence
Finding
return prompt

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal