ClawHub

Deep Research

Security checks across malware telemetry and agentic risk

Overview

The skill is aligned with deep research, but it tells the agent to install an additional workflow skill automatically, which users should review first.

Before installing, review the referenced anygen-workflow-generate skill separately and avoid letting the agent run the automatic '-y' install without your approval. Use a dedicated AnyGen API key where possible, and do not submit secrets, regulated data, or confidential research material unless AnyGen is approved for that data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation text is very broad ('any time the user wants in-depth research or comprehensive analysis on any topic') and includes many generic trigger phrases, which can cause the skill to activate for ordinary requests beyond the user's intended scope. In practice this increases the chance of unnecessary invocation of an external research workflow, leading to over-collection, unintended third-party data exposure, or costly actions without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that research is generated server-side at 'www.anygen.io' but does not clearly warn that user prompts and possibly attached context will be transmitted to a third-party service. Because this skill is designed for deep research and due diligence, users may provide sensitive business, regulatory, investment, or proprietary material, making undisclosed external transmission a meaningful privacy and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal