ClawHub

automatelab-citation-intelligence

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real citation-analysis tool, but it needs review because it sends queries and URLs to external services, fetches arbitrary URLs from the host, stores results locally, and has a credential-leak risk in error handling.

Install only if you are comfortable with a self-hosted MCP server making outbound requests to AI/search vendors and to user-supplied URLs. Do not use it for confidential queries or internal URLs unless you run it in an egress-restricted environment, and be aware that failed requests may reveal some API keys in logs or tool errors.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function derives a domain and origin from a user-supplied URL, fetches that page, and then makes additional third-party requests to Wikipedia, GitHub, Reddit, and the target origin (/llms.txt) without any user-facing notice or consent boundary. This can disclose the queried domain or URL to external services, create privacy/compliance issues, and amplify SSRF-style network access if the caller can supply arbitrary internal or sensitive URLs.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This code transmits the user's search query, optional location, and language selection to a third-party service (SerpAPI), which can expose potentially sensitive user input and contextual metadata to an external processor. In a citation-intelligence skill, such data sharing is functionally necessary, but the absence of an in-flow disclosure or consent mechanism increases privacy and policy risk, especially when queries may contain proprietary or personal information.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The cache persists user-controlled queries and AI overview content to a local file on disk, which can include sensitive business queries, competitive research terms, or other private data. In this skill's context, being self-hosted and focused on search/citation intelligence makes disk persistence expected, but the lack of minimization, encryption, retention controls, or clear disclosure still creates a real privacy and data-exposure risk if the host is shared, backed up, or compromised.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
The parser recursively follows nested sitemap <loc> entries and fetches each one without constraining hostnames or schemes. A user-supplied sitemap can therefore cause the tool to make additional requests to arbitrary external or internal endpoints, increasing SSRF exposure and making the actual network reach broader than the initial input suggests.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This tool sends user queries to third-party AI/search providers and persists both the query and raw AI response in cache, which can expose sensitive prompts, internal URLs, credentials, or other proprietary data if users submit them. The risk is heightened because the skill is explicitly designed to probe external engines, so data disclosure to vendors and local storage is core behavior, yet this file shows no consent gate, redaction, or minimization before transmission and caching.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The tool fetches arbitrary user-supplied URLs server-side via fetchText(parsed.url), which creates an SSRF-style capability and causes external network access without any in-band warning or restriction in this code. In a self-hosted BYO-keys skill this is somewhat expected functionality, but it is still dangerous because an attacker can induce requests to internal services, cloud metadata endpoints, or other sensitive network locations reachable from the host running the tool.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The tool fetches arbitrary user-supplied URLs, which creates an SSRF-style capability unless the surrounding fetch layer strictly restricts protocols, redirects, private IP ranges, and internal hostnames. In a self-hosted skill that accepts untrusted input, this can be used to probe internal services, access cloud metadata endpoints, or make the host perform unintended outbound requests even though the feature itself is legitimate.

VirusTotal

65/65 vendors flagged this plugin as clean.

View on VirusTotal