ClawHub

arxiv watcher

Security checks across malware telemetry and agentic risk

Overview

This ArXiv helper is purpose-aligned and openly describes its local research log, though users should understand that discussed papers are saved persistently.

Install this if you want an ArXiv search and summary assistant and are comfortable with it contacting ArXiv. Before using it for sensitive or confidential research topics, note that it automatically appends discussed papers and summaries to memory/RESEARCH_LOG.md; review or clear that file as needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest description limits the skill to searching and summarizing ArXiv papers. The body of the skill adds a separate persistence function: automatically saving every discussed paper to `memory/RESEARCH_LOG.md`, which is not implied by the manifest's stated purpose and changes the skill from transient research assistance to data retention.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The markdown explicitly says summarized papers are automatically saved to `memory/RESEARCH_LOG.md`, which affects user data/state. The file does not provide any warning, consent language, or disclosure about this persistent write behavior, even though it is later marked as mandatory.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This instruction requires appending content to `memory/RESEARCH_LOG.md`, a file-write operation that changes persistent state. The surrounding skill description does not warn users that every discussed paper will be logged, so the behavior lacks adequate disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal