ClawHub

Phy Citation Checker

Security checks across malware telemetry and agentic risk

Overview

This citation-checking skill behaves as advertised, but users should know it sends bibliography metadata to public academic APIs.

Install only if you are comfortable sending citation titles, DOIs, and related bibliography metadata to CrossRef, Semantic Scholar, and OpenAlex. Avoid using it on unpublished, embargoed, client-confidential, or internal bibliographies unless that external API use is allowed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises and depends on Python plus the requests package, and its documented workflow reads local .bib files and sends citation metadata to external services, yet no permissions are declared. This creates a transparency and policy-enforcement gap: users and platforms may not realize the skill can access local files and make outbound network requests, which can lead to unintended data exposure or bypass of least-privilege controls.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill repeatedly describes verification against CrossRef, Semantic Scholar, and OpenAlex but does not clearly warn that citation contents from local bibliography files are sent to third-party APIs. Bibliographies can contain unpublished manuscripts, internal report titles, author lists, or other sensitive research metadata, so silent transmission may leak confidential or embargoed information.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal