ClawHub

Phy Write Academic Report

Security checks across malware telemetry and agentic risk

Overview

This academic-report skill is purpose-aligned, but users should be aware that citation checking sends bibliography metadata to public academic APIs.

Install only if you are comfortable letting the skill analyze the chosen research repository and generate report files. Remove secrets and confidential logs first. Do not run citation checking on embargoed, unpublished, or sensitive bibliographies unless sending titles and DOIs to CrossRef, Semantic Scholar, and OpenAlex is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends citation metadata such as titles and DOIs to third-party APIs without an explicit consent gate or warning at the point of use. In academic contexts, bibliography contents can reveal unpublished research topics, sensitive project direction, or confidential manuscript details, so silent transmission creates a real privacy and compliance risk.

External Transmission

Medium
Category
Data Exfiltration
Content
try:
        # If DOI is provided, verify directly
        if entry.doi:
            url = f"https://api.crossref.org/works/{entry.doi}"
            resp = requests.get(url, headers=HEADERS, timeout=10)
            if resp.status_code == 200:
                data = resp.json()["message"]
Confidence
88% confidence
Finding
https://api.crossref.org/

External Transmission

Medium
Category
Data Exfiltration
Content
for search_title in search_titles:
            query = urllib.parse.quote(search_title)
            url = f"https://api.crossref.org/works?query.title={query}&rows=5"
            resp = requests.get(url, headers=HEADERS, timeout=15)
            if resp.status_code == 200:
                items = resp.json().get("message", {}).get("items", [])
Confidence
94% confidence
Finding
https://api.crossref.org/

External Transmission

Medium
Category
Data Exfiltration
Content
) -> Optional[dict]:
    """Search Semantic Scholar. Covers 200M+ papers with author disambiguation."""
    query = urllib.parse.quote(entry.title)
    url = f"https://api.semanticscholar.org/graph/v1/paper/search?query={query}&limit=3&fields=title,authors,year,externalIds"

    for attempt in range(2):
        try:
Confidence
94% confidence
Finding
https://api.semanticscholar.org/

External Transmission

Medium
Category
Data Exfiltration
Content
for search_title in search_titles:
        try:
            query = urllib.parse.quote(search_title)
            url = f"https://api.openalex.org/works?filter=title.search:{query}&per_page=5"
            resp = requests.get(
                url,
                headers={**HEADERS, "Accept": "application/json"},
Confidence
94% confidence
Finding
https://api.openalex.org/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal