ClawHub

Peer Reviewer

Security checks across malware telemetry and agentic risk

Overview

This paper-review skill mostly matches its stated purpose, but it can send manuscript content to external services and includes unsafe shell-based search execution with document-derived text.

Install only if you are comfortable with manuscript content being processed by configured external LLM and search providers. Avoid confidential or unpublished papers unless provider data handling is acceptable, and avoid SkillSearchAdapter or serper-tool use until shell execution is replaced with safe argument-based execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill advertises no permissions while its documented operation implies access to environment variables, specifically Google credentials. That mismatch weakens transparency and consent, making it easier for the skill to access sensitive runtime context without users or policy layers understanding its true capabilities.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose presents the skill as a paper reviewer, but the detected behavior includes local file reads, writing reports to disk, external web access, API use, and subprocess execution. This broader behavior materially expands the attack surface: sensitive local content could be read or persisted, and external calls or child processes could exfiltrate data or execute unintended actions.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
Requiring Google application credentials for a supposedly local review tool indicates undeclared external service dependence. That creates risk that document contents, prompts, or metadata may be transmitted off-host under privileged credentials, which is especially sensitive for unpublished research papers.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The adapter builds a shell command with both a configurable executable path and a query derived from untrusted input, then executes it via child_process.exec, which invokes a shell. Escaping only double quotes is not sufficient to prevent shell metacharacter injection, and a malicious claim or manipulated executablePath could lead to arbitrary command execution on the host.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill persists generated review reports to local disk even though its stated purpose is paper analysis, and there is no indication in this file that users are informed or asked for consent. Because academic papers and review outputs may contain unpublished research, sensitive commentary, or proprietary material, silent local retention creates a real confidentiality and data-handling risk.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The CLI probes for a sibling executable and, if found, invokes it via a command string to extend search behavior. That creates an unnecessary trust boundary expansion for a paper-review skill: local environment state can change behavior, and a malicious or compromised external tool in the expected location could be executed during review, leading to unintended code execution or data exfiltration.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The adapter transmits user-provided claim content to a third-party service (ArXiv) over an outbound HTTP request without any evidence of user disclosure, consent, or data minimization. In this skill, claims may contain unpublished research ideas, confidential manuscript text, or sensitive academic content, so sending them externally can create a privacy and confidentiality leak even if the destination is a legitimate service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Gemini path sends system and user content to a third-party API and authenticates with a provider key, but the code provides no user-facing disclosure, consent flow, or data-classification guardrails. For a peer-review skill, papers under review may contain unpublished or sensitive material, so silent transmission to an external service can create confidentiality and compliance risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The DevilsAdvocate agent sends full claim text to an external search provider and then forwards claim content plus retrieved literature context to an LLM provider, with no indication of minimization, consent, or disclosure. In an academic paper review context, claims may contain unpublished research, confidential manuscripts, or sensitive data, so this creates a real privacy and confidentiality risk rather than a purely theoretical issue.

Missing User Warnings

Low
Confidence
92% confidence
Finding
Review results are saved to local storage without any user-facing warning in the normal API flow, which means users may reasonably assume analysis is ephemeral when it is not. In the context of academic review, this can expose sensitive drafts, reviewer opinions, or confidential research artifacts to other local users or future processes.

VirusTotal

46/46 vendors flagged this skill as clean.

View on VirusTotal