ClawHub

Skilled Deep Research

Security checks across malware telemetry and agentic risk

Overview

This research skill is mostly coherent, but it can launch broad multi-agent web research and keep persistent local records based on very broad trigger phrases and unversioned external helper scripts.

Install only if you want a heavyweight research automation skill that may spawn sub-agents, contact web/search/browser services, and keep research history on disk. Review or replace the hard-coded /home/sean helper-script paths before use, and manually clean ~/.openclaw/workspace/skills-data/skilled-deep-research/ if topics, URLs, or reports are sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly instructs the agent to read from and write to persistent filesystem locations and to invoke local tooling, yet it declares no permissions. That mismatch can bypass user expectations and platform policy checks, especially because the skill writes reports, checkpoints, retry queues, and deduplication state under a persistent workspace path.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill directs execution of helper scripts from absolute paths outside the skill directory, such as /home/sean/.openclaw/workspace/lab/skills/ddg-search/scripts/ddg and fetch. This creates a trust-boundary violation: behavior depends on mutable external code not versioned with the skill, enabling silent tampering, privilege misuse, or environment-specific execution of unexpected code.

Vague Triggers

High
Confidence
94% confidence
Finding
The README advertises very broad auto-trigger phrases such as "find," "look into," and even question-like prompts that overlap with ordinary conversation. In an agent environment, this can cause the skill to activate unexpectedly on routine user requests, leading to unanticipated web access, multi-agent spawning, and report generation without clear user intent for a heavyweight research workflow.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The tier-selection rules are ambiguous, with loosely defined conditions like "quick," topic length, or "multi-source topic," which leaves substantial room for interpretation by the agent. That ambiguity can cause the system to choose a more powerful tier than the user expected, increasing the chance of unnecessary browsing, sub-agent execution, and persistent output generation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states that reports, metadata, progress files, retry queues, and deduplication registries are written to a persistent skills-data directory, but it does not prominently warn users that this data remains on disk. In practice, research topics may contain sensitive user interests, file paths, or gathered source material, so silent persistence creates privacy and data-retention risk.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger phrases are broad enough to activate on many ordinary requests like 'find', 'look into', 'what's available on', or 'find examples', causing the skill to launch a heavy research workflow unexpectedly. In context, that means unprompted web searches, sub-agent spawning, persistent file creation, and possible copying to output paths, which materially increases privacy and safety risk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The tiering examples create ambiguous boundaries between simple, standard, and deep behavior, making it easy for a routine query to escalate into multi-agent execution with persistence and external network activity. This is dangerous because users may reasonably expect a lightweight answer while the skill performs much more invasive actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill creates persistent working files and can copy reports to arbitrary output paths, but the documentation does not prominently warn users before those side effects occur. That can lead to unintentional storage of sensitive topics, overwrite of existing files, or placement of research artifacts in unexpected locations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill sends user queries and fetched URLs to external services and tools, including Brave search, DDG helpers, and potentially Playwright/browser tooling, without a clear privacy warning. For sensitive research topics, that disclosure can leak intent, targets, and browsing patterns to third parties or local infrastructure outside the user's expectations.

Session Persistence

Medium
Category
Rogue Agent
Content
ENDBLOCK

   ⚠️ You MUST use this shell append pattern. Do NOT use write/edit tools for results.
   Do NOT buffer multiple entries — write each one immediately after fetching.

6. Append URL to known-urls.txt (FULL PATH — critical for deduplication):
   exec: echo "[URL]" >> ~/.openclaw/workspace/skills-data/skilled-deep-research/[SLUG]/known-urls.txt
Confidence
86% confidence
Finding
write each one immediately after fetching. 6. Append URL to known-urls.txt (FULL PATH — critical for deduplication): exec: echo "[URL]" >> ~/.openclaw

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal