ClawHub

Kb Review

Security checks across malware telemetry and agentic risk

Overview

This skill coherently reads a paper knowledge base, synthesizes reviews, and can write those reviews back, with no artifact-backed evidence of deception or harmful behavior.

Install only if you trust the configured Gitea administrator token and the paper-kb server. Expect the skill to read your paper-kb repository and, for review requests, save or update generated concept pages, catalog.json, index.md, and possibly log.md if optional query logging is used. Prefer a least-privilege token and pinned dependency versions in production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
Although this script is presented as a read/query tool, the --list path can also perform a write by calling append_query_log when log_question is supplied. Mixing read and write side effects in a query utility can surprise callers, create unintended data retention, and enable silent logging of user-provided content without an explicit separate consent or operation.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest describes a broadly capable review/advisor skill that performs cross-paper synthesis and can write results back to the knowledge base, but it does not define clear invocation boundaries, user-consent requirements, or exclusions. In an agent setting, overly broad scope increases the chance the skill is invoked in unintended contexts and performs analysis or persistence actions the user did not explicitly request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manifest explicitly states that the skill may write synthesized content back to the knowledge base, including regenerable high-level concept pages, but provides no warning or consent language about modifying stored content. Because the skill also requires GITEA access and an admin token, unintended or mistaken writes could alter shared knowledge, overwrite prior content, or introduce inaccurate synthesized material at scale.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The module automatically uses an admin-scoped token to perform authenticated network calls and remote repository writes with no built-in consent, prompting, or audit disclosure at the API wrapper layer. In an agent/skill context, this enables downstream code to make privileged persistent changes to a Gitea instance using ambient credentials, which increases the risk of silent misuse or overreach.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The function persistently records raw user questions into a repository log without any disclosure, minimization, or filtering visible in this file. User queries often contain sensitive research topics, credentials, personal data, or proprietary text, so silent retention creates a meaningful privacy and secondary disclosure risk if the repository is shared, compromised, or broadly accessible.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code allows user questions to be written to log.md through the log_question parameter, but there is no enforcement in the code of a clear just-in-time warning or consent mechanism at collection time. If queries contain personal, confidential, or proprietary information, this creates a privacy and compliance risk because sensitive content may be stored unexpectedly.

Ssd 3

Medium
Confidence
91% confidence
Finding
The code is explicitly designed to record natural-language user questions, which are high-entropy and frequently sensitive, into a durable log. In a knowledge-base/research context, queries can reveal confidential project interests, unpublished work, or personal data, so default retention increases leakage risk through repo access, backups, or later reuse.

Ssd 3

Medium
Confidence
90% confidence
Finding
The help text explicitly states that providing the query during listing will 'ensure the query is always recorded,' which signals intentional persistent collection of user input. In a knowledge-base context, user questions can easily include sensitive research topics or internal information, so forced logging increases privacy exposure and may normalize over-collection.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28
python-dotenv>=1.0
Confidence
94% confidence
Finding
requests>=2.28

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28
python-dotenv>=1.0
Confidence
90% confidence
Finding
python-dotenv>=1.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
requests

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
78% confidence
Finding
python-dotenv

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal