ClawHub

Autonomous Research

Security checks across malware telemetry and agentic risk

Overview

This is a coherent research helper, but it may use external search/network tools and a Brave API key, so users should scope requests carefully.

Install this only if you are comfortable with web/search-backed research using a Brave API key. Avoid including confidential, regulated, or proprietary details in research prompts unless you intend them to be used in external searches, and give clear limits for topic, depth, sources, and output format.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The top-level description is extremely broad ('conduct comprehensive research independently' / 'without human guidance'), which creates unclear activation and authorization boundaries. In agent systems, overly general scopes increase the chance the skill is invoked for unintended tasks, including sensitive research workflows that may trigger external lookups or credential-backed actions without explicit user intent.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The 'When to Use' section uses broad, everyday phrasing like 'Deep research on any topic' and 'Information gathering without guidance,' which can match many normal user requests. This makes accidental or overbroad activation more likely, especially in environments where skills are selected from conversational intent, potentially causing unsanctioned autonomous behavior.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The quick actions use highly generic phrases such as 'analyze sources,' 'generate report,' and 'validate research,' which are common in ordinary conversation and can collide with unrelated user dialogue. If the platform maps these phrases to skill activation, the skill may launch unexpectedly and perform external or autonomous actions beyond what the user intended.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill metadata indicates dependency on external binaries and a BRAVE_API_KEY, but the human-readable description does not disclose that using the skill may contact third-party services or consume configured credentials. This reduces informed consent and can surprise users or operators with network access, data exposure, or billable API usage during ostensibly simple research tasks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal