ClawHub

Jupyter Helper

Security checks across malware telemetry and agentic risk

Overview

This notebook helper is mostly aligned with its purpose, but it can execute notebook code and overwrite notebook outputs without enough warning or clear documentation.

Install only if you understand that the run command executes code inside the notebook with your user privileges. Use it only on trusted notebooks, preferably in an isolated environment, and make backups before using clean because it overwrites notebooks by default.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill description promises operational Jupyter notebook actions like converting, extracting, running, and exporting notebooks, but the exposed commands are only generic reference topics such as intro, theory, and help. This mismatch can mislead users or orchestrators into invoking the skill for privileged notebook operations it does not transparently describe, creating a confused-deputy risk and obscuring what downstream scripts may actually do.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The `run` command executes arbitrary code embedded in a notebook via `nbconvert --execute`, which is inherently dangerous when notebooks come from untrusted sources. In a helper skill framed as notebook management, this significantly expands capability from inspection/transformation into code execution, enabling command execution, file access, network access, or environment compromise under the current user.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are very broad and map to common notebook-related tasks, increasing the chance this skill is auto-selected for requests outside its actual scope. In combination with the manifest/command mismatch, this overbroad routing can cause inappropriate invocation of generic scripts, unexpected actions, or user confusion about the skill's authority and capabilities.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script executes notebooks without any warning that `.ipynb` files may contain arbitrary executable code. Users may reasonably treat notebooks as documents and invoke this helper on untrusted files, leading to unintended execution of attacker-controlled Python with the user's privileges.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The `clean` command defaults to `--inplace`, overwriting the original notebook and deleting outputs/execution state without a clear destructive-operation warning or confirmation. This can cause accidental data loss, especially for users expecting a derived cleaned copy rather than mutation of the source file.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal