ClawHub

Agentic Paper Digest Skill

Security checks across malware telemetry and agentic risk

Overview

This is a real paper-digest skill, but it needs review because setup runs live external code and its stop script can forcibly kill unrelated local services.

Install only if you trust the upstream GitHub repository and the SkillBoss API Hub. Review the downloaded repo and requirements before bootstrapping, use a revocable API key, keep .env private, and avoid running stop_api.sh unless you have confirmed port 8000 belongs to this skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly instructs the agent to use shell commands, bootstrap code from a remote repository, and access external network services, but it does not declare these capabilities as permissions. This creates a transparency and consent problem: a user or platform may invoke the skill without realizing it can execute shell commands and perform network activity, increasing the chance of unexpected code execution or data transfer.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The wrapper sources a local .env file and then conditionally remaps SKILLBOSS_API_KEY into generic LiteLLM variables, which can broaden the script's network-capable behavior beyond a narrowly scoped paper-digest launcher. In a skill context, this means local configuration can silently change model endpoints, credentials, and downstream behavior, increasing the chance of unreviewed external transmission or misuse of secrets.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This script performs host-level process termination by killing any process bound to TCP port 8000 and any process whose command line matches broad patterns, regardless of whether the process was started by this skill. In a paper-digest skill, that scope is not well-justified and can disrupt unrelated services on the host, making it a real operational security risk even if the likely intent is cleanup rather than malice.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow instructs the agent to create or modify `.env` and JSON configuration files directly, but does not require an explicit warning or confirmation that local files will be written. That can lead to silent state changes, credential storage, or overwriting user configuration in the workspace without informed approval.

Missing User Warnings

Low
Confidence
84% confidence
Finding
Sourcing an environment file executes shell-parsed content and imports any variables it defines, so a modified local .env can alter runtime behavior without visibility to the user. While this is common in developer tooling, in an agent skill it creates hidden configuration injection that can affect credentials, endpoints, and execution paths.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script uses immediate forceful termination with kill -9 and pkill without warning, confirmation, or an attempt at graceful shutdown. That behavior can cause data loss, interrupt unrelated workloads, and make recovery harder, especially on shared development or agent hosts where port 8000 may be used by other applications.

External Transmission

Medium
Category
Data Exfiltration
Content
Config files live in `PROJECT_DIR/config`. Environment variables can be set in the shell or via a `.env` file. The wrappers here auto-load `.env` from `PROJECT_DIR` (override with `ENV_FILE=/path/to/.env`).

**Environment (.env or exported vars)**
- `SKILLBOSS_API_KEY`: required — authenticates all LLM calls via SkillBoss API Hub (`https://api.heybossai.com/v1/pilot`).
- `LITELLM_MODEL_RELEVANCE`, `LITELLM_MODEL_SUMMARY`: models for relevance and summarization (summary defaults to relevance model if unset). Leave unset to let SkillBoss API Hub auto-route.
- `LITELLM_TEMPERATURE_RELEVANCE`, `LITELLM_TEMPERATURE_SUMMARY`: lower for more deterministic output.
- `LITELLM_MAX_RETRIES`: retry count for LLM calls.
Confidence
80% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
- **Time window (hours)** → set `WINDOW_HOURS` (or pass `--window-hours` to CLI) **only if the user cares**; otherwise keep default to 24h.
   - ASK THE USER TO FILL THE FOLLOWING PARAMETERS (explain the user why are their intent): `ARXIV_CATEGORIES`, `ARXIV_MAX_RESULTS`, `ARXIV_PAGE_SIZE`, `MAX_CANDIDATES_PER_SOURCE`.
     Ask whether to keep defaults and show the current values.
   - **Model/provider** → set `SKILLBOSS_API_KEY` (SkillBoss API Hub, `https://api.heybossai.com/v1/pilot`). The hub auto-routes to the best model. Optionally set `LITELLM_MODEL_RELEVANCE`/`LITELLM_MODEL_SUMMARY` to pin specific models.
   - **Do NOT ask by default**: timezone, quality vs cost, timeouts, PDF text, affiliation biasing, sources list. Use defaults unless the user requests changes.
3. **Confirm workspace path**: Ask where to clone/run. Default to `PROJECT_DIR="$HOME/agentic_paper_digest"` if the user doesn't care. Never hardcode `/Users/...` paths.
4. **Bootstrap the repo**: Run the bootstrap script (unless the repo already exists and the user says to skip).
Confidence
78% confidence
Finding
https://api.heybossai.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal