ClawHub

openreview-review-analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it fetches public OpenReview review data and saves a local JSON report for analysis.

Install if you are comfortable with the agent contacting OpenReview and public web sources for review data, then saving the fetched paper and review content under /tmp. Delete the generated JSON file after use if you do not want local retention, and treat search-derived fallback content as less authoritative than OpenReview API results.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes a Python script that performs network access to OpenReview and writes results to /tmp, yet the skill metadata declares only a binary requirement and no explicit permissions. This mismatch can bypass operator expectations and policy enforcement, because a reviewer or runtime may treat the skill as low-privilege even though it can exfiltrate data over the network or leave data behind on disk.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script writes all fetched review data to a predictable file in /tmp, which persists reviewer comments, scores, rebuttals, and decisions beyond the immediate task of fetching/analyzing. Even if the source data is public, storing it locally can unnecessarily expose sensitive conference discussion data to other local users/processes, create data retention issues, and enable symlink or file-clobbering problems because the filename is derived from untrusted forum_id input.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal