ClawHub

oldglycine-paper-add-citations

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed citation helper that reads a paper project, searches for references, and edits bibliography/report files, with no evidence of hidden or destructive behavior.

Install only if you are comfortable with the agent reading the target paper project, sending search terms derived from the paper to Google Scholar through scholarly, and modifying bibliography/manuscript/report files. Use version control or a copy of the project and review diffs before relying on the added citations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description explains that it will add BibTeX entries and insert citation markers, but it does not clearly warn users that it will directly modify TeX source files and bibliography contents. This creates a real safety and integrity risk because users may run it expecting advisory output rather than automated document edits, leading to unintended changes to research manuscripts and references.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The tool extracts keywords from the user's paper content and uses them to query an external scholarly search service, but the description does not disclose this outbound data flow. Even if only keywords are sent, they may reveal unpublished research topics, confidential project directions, or sensitive academic work, making the omission materially risky in this context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The tool extracts keywords from the user's paper content and uses them to query an external scholarly search service, but the description does not disclose this outbound data flow. Even if only keywords are sent, they may reveal unpublished research topics, confidential project directions, or sensitive academic work, making the omission materially risky in this context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal