ClawHub

Turnitin AI Checker

Security checks across malware telemetry and agentic risk

Overview

This skill appears local-only, but it is built to help academic text avoid AI-detection systems and makes overstated Turnitin-specific claims.

Install only after careful review. The code does not appear to steal data, use credentials, call the network, or persist locally, and VirusTotal is only pending telemetry. The main concern is that the skill is designed to help academic work pass AI-detection checks and may violate school, publisher, or workplace integrity rules; its Turnitin-like scores are local heuristics and should not be treated as official or reliable proof of authorship.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (20)

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The declared purpose is checking AI-detection likelihood, but the skill also documents rewriting text specifically to make academic work 'pass detection.' That mismatch conceals an evasion function that can facilitate academic-integrity abuse and makes it easier to deploy the skill without appropriate scrutiny or policy controls.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest frames the skill as a checker, while the body advertises text-humanization to help content pass Turnitin detection. This concealed secondary purpose materially increases misuse risk because reviewers and users may underestimate that the skill supports bypass of academic-integrity controls.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly documents rewriting text to evade AI detection, exceeding a legitimate checking function. Providing tactics to transform text so it appears human-written enables deliberate circumvention of academic-integrity mechanisms and can support fraud in educational settings.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The disclaimer claims the tool is not for bypassing legitimate detection, yet the preceding content repeatedly promotes humanization and re-checking until the text passes. This contradiction is dangerous because it disguises the real evasion workflow behind compliance-sounding language, undermining trust and governance review.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
This reference material goes beyond describing detection methods and provides concrete 'humanization techniques' explicitly framed to make AI-written text appear more human and reduce detection risk. In the context of a Turnitin AI checker skill, this meaningfully enables evasion of academic integrity controls and misrepresentation of authorship, which makes the capability dangerous even though it is presented as documentation.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script presents a specific Turnitin detection cutoff and frames its output as if it predicts Turnitin behavior, but the implementation is only a local heuristic model with no demonstrated linkage to Turnitin's actual system. This can mislead users into trusting inaccurate results and using the tool to tune submissions against a purported detector, creating integrity and misuse risk.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module documentation claims similarity to Turnitin's detection methods without showing any Turnitin-specific logic, dataset, or validation. In this skill context, that misleading representation is security-relevant because it can encourage users to rely on the tool for detector evasion or compliance decisions under false assumptions.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file explicitly implements functionality to rewrite AI-generated text so it appears human-written, which facilitates evasion of AI-detection and academic integrity controls rather than merely assessing detection risk. In the context of a Turnitin-related skill, this materially increases abuse potential because it helps users disguise provenance and bypass institutional review processes.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The docstring is misleading because it claims to preserve academic tone while the code can inject rhetorical and conversational phrasing, including in academic mode. Misrepresentation of behavior is dangerous here because it conceals that the tool is actively altering authorship style in ways that may help evade academic detection or mislead users about the extent of manipulation.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger list is broad enough to match ordinary discussion about AI detection, increasing the chance of unintended invocation. In this context, accidental activation is more concerning because the skill includes evasion-oriented rewriting behavior that could be surfaced to users who did not explicitly request that capability.

Missing User Warnings

High
Confidence
95% confidence
Finding
The description fails to warn that the skill can help users rewrite text to pass Turnitin, obscuring a high-risk misuse case. Lack of clear warning reduces informed review and increases the likelihood that the skill will be deployed or used in ways that facilitate academic misconduct.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The markdown recommends specific rewriting changes such as adding personal voice, breaking formulaic structure, and introducing minor imperfections, but does not warn that these steps can be used to conceal AI authorship. Because the skill is explicitly about checking Turnitin AI detection risk, the surrounding context increases the likelihood that users will treat these instructions as a playbook for evasion rather than neutral educational material.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The risk messages explicitly recommend 'humanization' to reduce detection risk before submission, which meaningfully facilitates evasion of AI-detection systems. Given the skill's stated purpose is checking whether text would be flagged by Turnitin, this context makes the behavior more dangerous because it operationalizes academic-integrity bypass rather than neutral analysis.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
Publishing a purported detector cutoff gives users a target for iterative optimization, making the tool more useful for evasion. Even if the threshold is inaccurate, presenting it as a decision boundary can still drive misuse and false confidence in attempts to stay under detection limits.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The module description and implementation promote making AI-generated text appear human-written, which is an evasion-oriented capability with clear misuse potential in academic settings. Given the skill's Turnitin context, this is especially dangerous because it can be used to undermine plagiarism and AI-authorship detection workflows relied upon by schools and reviewers.

Ssd 2

High
Confidence
99% confidence
Finding
The skill explicitly frames rewriting as 'humanization' to help academic text pass detection, which is a euphemistic but direct evasion use case. This is dangerous because it operationalizes concealment of AI authorship and facilitates cheating or misrepresentation in academic submissions.

Ssd 2

High
Confidence
99% confidence
Finding
The use cases invite users to 'humanize' text to avoid AI detection, presenting bypass as a normal supported workflow. That context makes the skill more dangerous because it openly targets an academic-integrity control rather than incidentally enabling misuse.

Ssd 4

High
Confidence
99% confidence
Finding
The workflow describes a complete evasion loop: score the text, identify risky sections, rewrite them, and re-check until the result is 'safe.' This creates a practical playbook for bypassing Turnitin-style AI detection and materially lowers the barrier to academic fraud.

Ssd 2

High
Confidence
99% confidence
Finding
The procedure lists concrete tactics—varying sentence lengths, swapping phrases, adding subjective language, and introducing minor grammatical variation—to make AI-written text appear human-written. These are actionable concealment instructions that directly support evasion of detection systems.

Ssd 2

High
Confidence
98% confidence
Finding
The examples demonstrate reducing an AI score from a flagged result to a 'Safe' one after humanization, normalizing and validating bypass behavior. Example-driven guidance is especially dangerous because it gives users a concrete success model for evading academic detection controls.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal