ClawHub

deepresearchwork forme

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a coherent report-generation helper, with expected research, formatting, and chart-output behavior disclosed in its artifacts.

Install only if you are comfortable with the skill using external research/search tools, creating report and image files in your workspace, and running Mermaid CLI through npm/npx. Use a dedicated project folder, review generated sources and reports before relying on them, and avoid confidential topics unless the dependent research tools’ data handling is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation phrase is extremely broad and can be triggered for essentially any topic, which increases the chance that the skill is invoked in contexts the user did not clearly intend. Because the skill advertises automated research and report generation, an unconstrained trigger can lead to unexpected external data gathering and downstream content/file generation without sufficiently explicit user awareness.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises multi-source automated data collection and Mermaid-to-PNG file generation, but it does not warn users about network access, content provenance risks, or local artifact creation. This can cause users to unknowingly approve actions that fetch external content or create files, which is risky in agent environments where automation may have broader permissions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly describes creating a Markdown report and generating image assets under the working directory, but it does not clearly warn users that it will write new files and modify report contents. In agent environments, undisclosed filesystem side effects can surprise users, overwrite existing work, or leak generated artifacts into shared directories.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented use of `npx -y @mermaid-js/mermaid-cli` can automatically download and execute external code at runtime, but the skill does not warn users about this behavior. In a security-sensitive agent context, silent package installation and execution expands the trust boundary and may expose the environment to supply-chain compromise or unexpected network activity.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal