ClawHub

Paper Recommendation

Security checks across malware telemetry and agentic risk

Overview

The skill’s paper-research functions are legitimate, but its scheduled workflow can repeatedly send briefings to a hardcoded Telegram account.

Review before installing. Manual arXiv fetching and PDF review look aligned with the skill’s purpose, but do not enable the daily cron or run daily_workflow.py until you replace or remove Telegram ID 8077045709, confirm the recipient each time, and fix the cron path to the installed paper-recommendation script. Use local-only output for private research topics, proprietary papers, or sensitive notes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs delivery of generated research summaries via Telegram without any explicit consent, warning, or confirmation step before transmitting content to an external service. Even if the content is 'just summaries,' it may include user prompts, proprietary research interests, or derived sensitive information, creating an unintended data exfiltration path.

Missing User Warnings

High
Confidence
99% confidence
Finding
This cron workflow automatically sends results every day to a fixed Telegram recipient, creating persistent external exfiltration without a human-in-the-loop check. The hard-coded recipient ID and scheduled automation increase risk because content can be transmitted repeatedly, silently, and at scale if the skill is enabled in an environment with access to sensitive research or user context.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow explicitly sends the generated briefing to Telegram, an external third-party channel, without any consent gate, warning, or data-classification step. Because the briefing aggregates paper content and potentially user-selected research interests or derived notes, this creates a real data exfiltration/privacy risk if sensitive or proprietary information is included.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The workflow instructs the agent to save briefing files to persistent local storage without documenting retention, access controls, or cleanup expectations. While local file output is common, storing potentially sensitive research summaries by default can expose data to other local users, backups, or later unintended reuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script prints extracted PDF text directly to stdout and can also emit full content as JSON, which may expose sensitive document contents in terminals, logs, CI pipelines, or calling-agent transcripts. In a research skill context, users may process proprietary papers, internal reports, or personal documents, making unintended disclosure more likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal