ClawHub

Method Dev Agent

Security checks across malware telemetry and agentic risk

Overview

The skill appears to support laboratory method-development workflows, but it needs review because it may handle sensitive lab data and has an under-scoped CSV file-write behavior.

Review the source before installing, especially src/utils.py export behavior and any places that store lab records. Use it only with non-sensitive or approved laboratory data, keep exports to a controlled directory, and avoid using the included promotional guidance unless disclosures and compliance review are in place.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly promotes systematic recording, retrieval, and structured storage of laboratory experiment, sample, and method-development data, but provides no warning about handling sensitive research, proprietary, regulated, or potentially patient-linked laboratory information. In a pharmaceutical analysis context, this omission can lead users to store confidential or regulated data insecurely, increasing the risk of data leakage, IP exposure, or compliance violations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The content promotes using an AI assistant to process experimental records, method parameters, and trend analysis in a pharmaceutical/laboratory context without any warning about confidentiality, regulated data handling, or privacy boundaries. In this setting, users may input proprietary methods, research data, or potentially regulated records into AI systems, creating risk of unauthorized disclosure, compliance violations, or improper handling of sensitive laboratory information.

Vague Triggers

Low
Confidence
92% confidence
Finding
The draft includes operational guidance on when to publish, how to embed a tool mention, and how to steer users into private messages, but it lacks clear guardrails on acceptable use, disclosure, or audience targeting. In a content-generation skill, this can facilitate undisclosed promotion and evasive outreach behavior, which is risky even if the underlying HPLC content is harmless.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal