ClawHub
Back to skill

Security audit

Deep Research Pipeline

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent deep-research tool, but users should understand that it can send prompts and retrieved content to external services and save research artifacts locally.

Install only if you are comfortable with research questions and retrieved source text being sent to configured search, GitHub, documentation, and LLM providers. Use mock/offline modes or a trusted local provider for sensitive work, run it in a sandboxed workspace, pick explicit output/checkpoint paths, and verify citations before relying on generated reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation describes concrete capabilities to read environment variables, write files, and perform network access, but it declares no permissions. That mismatch can prevent informed consent and policy enforcement by the host, especially because the pipeline can transmit prompts and retrieved content to external LLM/search providers and persist outputs locally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The declared purpose frames the skill as a research workflow, but the described behavior includes broader capabilities such as arbitrary remote fetching, GitHub/code search, parallel execution, checkpointing, and report writing to disk. This increases risk because users may invoke it expecting bounded research behavior while it actually performs wider data collection, persistence, and outbound transmission than the description suggests.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The methodology section asserts that all findings are directly sourced and cited, but several code paths such as summary, brief, and some template outputs omit citations entirely. In a research-writing skill, this is a security-relevant integrity issue because users may trust unsupported claims as verified, enabling misleading or fabricated content to be presented with false provenance.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code claims report generation includes inline citations, but LLM-produced theme sections are trusted verbatim without post-generation verification that citations are present, valid, and tied to supplied sources. This creates an integrity vulnerability where the model can hallucinate citations or produce unsupported factual assertions, especially risky in a deep-research skill whose purpose is authoritative synthesis.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The documentation explicitly instructs the orchestrator to save plans under memory/research and later describes saving reports and checkpoints, but it does not clearly warn users that running the skill modifies the local filesystem. In an agent setting, undocumented write behavior can surprise operators, overwrite files, or persist sensitive research material in unintended locations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill is a research pipeline whose normal operation includes web search, fetching documentation URLs, GitHub queries, and calls to configured LLM providers, yet the examples and CLI guidance do not prominently warn that user questions and retrieved content may be transmitted to external services. In agent environments this can expose sensitive prompts, internal topics, tokens, or proprietary context to third parties without informed user consent.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The markdown instructs users to write reports and other artifacts to local paths but does not warn about overwriting existing files or uncontrolled output locations. In practice this can cause accidental data loss or unsafe writes when users supply sensitive or unexpected paths.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill prominently supports external LLM providers, web search, and remote fetching, yet it does not clearly warn that user questions, retrieved content, and possibly local context may be transmitted to third parties. That omission is dangerous in research workflows because prompts often contain proprietary, personal, or otherwise sensitive material.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code sends chunk titles, URLs, and up to 2000 characters of chunk content to an external LLM service via `_call_glm(...)` without any explicit consent gate, redaction step, or user-visible warning at the transmission point. In a deep-research skill, retrieved content can include proprietary, sensitive, or regulated data, so silent exfiltration to a third-party model provider creates a real confidentiality and compliance risk even if the feature is intended for relevance scoring.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code sends the research question and selected chunk contents to an external LLM via `_call_glm(...)` without any consent gate, minimization, or disclosure in this component. In a deep-research skill, chunks can easily contain proprietary, personal, or otherwise sensitive text gathered from prior steps, so silent transmission to a third-party model provider creates a real data exposure risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The helper fetches arbitrary URLs supplied indirectly by search results or directly by user input without any allowlist, scheme restriction beyond implicit urllib behavior, or user-visible disclosure. In an agent context, this can trigger unintended outbound requests to attacker-controlled hosts, enabling SSRF-style network access, metadata service probing, or silent data egress via request context and traffic patterns.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The executive-summary path sends the research question and derived findings to an external LLM service without any explicit user-facing notice or consent flow. In a deep-research skill, analyst output may contain sensitive internal research, proprietary data, or regulated content, so silent transmission creates a meaningful confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Theme generation transmits detailed findings, including claims and source context, to an external LLM with large token budgets and no user warning. Because this skill is specifically designed for deep research and multi-source analysis, the payload is likely to be rich, sensitive, and potentially proprietary, making unauthorized disclosure more dangerous in context than in a generic writing tool.

Session Persistence

Medium
Category
Rogue Agent
Content
## Workflow (Orchestrated Mode)

### Phase 1: Planning
- Analyze question, create slug, make `memory/research/<slug>/` directory
- Generate research plan with dimensions and questions
- Save to `plan.md`
Confidence
88% confidence
Finding
create slug, make `memory/research/<slug>/` directory - Generate research plan with dimensions and questions - Save to `plan.md` ### Phase 2: Research Cycle (repeat up to 8 times) #### Step A: Spawn

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal