ClawHub

ynu-papergraphgeneration-qclaw

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it also can run generated Python code locally and sends paper content to external APIs without strong user-facing safeguards.

Review carefully before installing. Use only with papers you are comfortable sending to the configured API provider, avoid command-line API keys, and run it in a restricted virtual environment or sandbox. Do not use the generated Matplotlib-code path on untrusted or confidential paper content unless you inspect the generated Python first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f.write(code)

        import subprocess
        result = subprocess.run(
            ["python", code_path],
            capture_output=True,
            text=True,
Confidence
99% confidence
Finding
result = subprocess.run( ["python", code_path], capture_output=True, text=True, timeout=60, cwd=output_dir )

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This skill goes beyond generating chart prompts and actually runs arbitrary generated Python, which substantially expands capability from visualization assistance to general code execution. In this context, paper text is attacker-controlled input to the prompt, so prompt injection can steer the model to emit malicious code that is then executed locally.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code writes temporary scripts and generated outputs into a persistent directory under the user's home workspace. This creates unnecessary filesystem write capability and persistence for attacker-influenced content, increasing the blast radius if malicious code is generated or if sensitive paths are later targeted.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README describes sending user-provided paper text through OpenClaw and then to external image-generation services, but it does not clearly disclose that potentially sensitive manuscript content may be transmitted to third-party APIs. In a research context, unpublished papers, proprietary methods, or confidential data may be exposed without informed user consent, creating privacy, confidentiality, and compliance risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Generated code is silently written to disk and executed without an explicit warning, confirmation, or disclosure to the user. While the core issue is unsafe execution, the lack of transparency materially increases risk because users cannot make an informed decision before local code runs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code sends raw paper text to an external LLM API for analysis without any explicit consent, warning, redaction, or local-only option at the point of transmission. If users process unpublished manuscripts, proprietary research, or regulated documents, sensitive content may be disclosed to a third-party service unexpectedly.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function sends user-supplied prompt content, including topology and additional requirements, to a third-party API without any explicit consent gate, warning, or redaction step. In a paper-visualization skill, prompts may contain unpublished research details, proprietary system designs, or sensitive manuscript content, so silent external transmission creates a real confidentiality risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The scanner sends raw paper chunks to an LLM via llm_call_fn without any visible consent, privacy notice, or minimization controls. If papers contain unpublished research, proprietary data, or embedded personal information, this can cause unintended disclosure to an external model provider or logging pipeline.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The merge stage re-transmits extracted findings derived from the paper back to the LLM, creating a second disclosure path without transparency. Although this is typically less sensitive than the full paper, summaries and section names can still reveal unpublished methods, results, or research direction.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function sends user_intent and up to 1500 characters of paper_content to an LLM without any visible consent flow, disclosure, or indication of whether the LLM is local or external. In a document-processing skill, paper text may contain unpublished research, proprietary material, or personal data, so silent transmission creates a real privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code constructs an extraction prompt containing up to 8000 characters of paper content, substantially increasing the amount of potentially sensitive document text prepared for LLM processing. Even if another module performs the actual call, this router is explicitly packaging large source content for model consumption without visible privacy notice, least-privilege controls, or sensitivity checks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code can invoke EasyOCR as a fallback, and EasyOCR commonly downloads model files at first use. In a security-sensitive or offline environment, this creates an unexpected outbound network action and supply-chain exposure without explicit runtime consent, which is especially relevant because the module is framed as a local self-checker and comments even note '联网下载模型'.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents sending paper content and an API key to a remote image-generation endpoint, but it does not clearly warn users that potentially sensitive unpublished paper text will leave the local environment. In a research workflow, this can expose confidential manuscripts, proprietary data, or embargoed results to third-party services without informed consent.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal