ClawHub

Academic Social Publisher

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed academic content-drafting helper with optional, configured video generation and no hidden code or automatic publishing.

Safe to install for drafting academic social posts. Review generated text before sharing, avoid entering confidential unpublished research unless intended, and only enable video/TTS API keys for services you trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation description is broad enough to match ordinary requests about sharing papers, composing announcements, or amplifying influence, which can cause the skill to trigger in contexts the user did not explicitly intend. Over-broad auto-activation increases the chance of unsolicited content generation, accidental disclosure of paper details to downstream tools, or execution of optional media-generation steps when the user only wanted light assistance.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill hard-codes Chinese output for the WeChat article without stating that this language choice depends on user preference, which can lead to unwanted content generation in a language the user did not request. In a multi-platform publishing workflow, forced language selection can cause incorrect audience targeting, user confusion, or accidental publication of unsuitable content, though the security impact is limited compared with code execution or data exfiltration issues.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal