ClawHub

Anchor Sheet

Security checks across malware telemetry and agentic risk

Overview

The advertised anchor extractor is local, but the package also contains unrelated pipeline-routing and orchestration code that can mutate many workspace artifacts.

Review this before installing in an environment that auto-loads pipeline files. The anchor-sheet script itself appears local and purpose-aligned, but the package bundles broader workflow routing, execution, and artifact-writing machinery. Use it only in a disposable or clearly scoped workspace unless you intend to install the full research-pipeline bundle, and keep custom input/output paths inside the intended workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
log_path = workspace / log_rel

    try:
        completed = subprocess.run(cmd, check=False, capture_output=True, text=True)
        if completed.stdout or completed.stderr or completed.returncode != 0:
            ensure_dir(log_path.parent)
            body = [
Confidence
96% confidence
Finding
completed = subprocess.run(cmd, check=False, capture_output=True, text=True)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This code acts as a generic executor that runs `scripts/run.py` for arbitrary units, which is not justified by the skill manifest claiming a no-network, local anchor-fact extraction tool. That mismatch is dangerous because users may grant this skill trust appropriate for a narrow text-processing task while it actually has code-execution capability across the workspace pipeline.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation manages workflow state, approvals, blocking, rerouting, and downstream invalidation rather than extracting anchor facts from evidence packs. This is a security-relevant scope mismatch because hidden orchestration powers can alter pipeline behavior and operator decisions under the cover of an apparently narrow content-processing skill.

Scope Creep

Medium
Confidence
95% confidence
Finding
The code writes to `UNITS.csv`, `STATUS.md`, and `DECISIONS.md`, effectively mutating workflow control files despite the manifest describing only local extraction behavior. Unauthorized state mutation can be exploited to mark work as done, block units, or alter approval records, undermining the integrity of the pipeline.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file implements a full research-ideation and memo-generation pipeline rather than the declared anchor-sheet behavior of extracting terse anchor facts from existing evidence packs. That capability mismatch is dangerous because invoking this skill could cause the agent to generate broad synthesized outputs and alter workflow state in ways the user did not request, violating least surprise and expanding the skill's effective authority.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The inline strings explicitly describe a 'Research Idea Brainstorm Memo' and appendix, directly contradicting the skill's stated purpose. In security terms, this is strong evidence the code is mispackaged or repurposed, which increases the risk that operators and reviewers will trust the skill under false assumptions and allow unintended behavior during automated runs.

Scope Creep

Medium
Confidence
90% confidence
Finding
The helper functions support writing arbitrary JSONL, JSON, and Markdown artifacts, enabling the skill to create broader reports beyond simple anchor extraction. In the context of a narrowly scoped evidence-extraction skill, that write capability is risky because it can overwrite or introduce downstream planning/report files that influence later agent behavior, even without network access.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The scoring and prioritization logic gives this skill the ability to rank research directions and make recommendation decisions, which is unrelated to anchor-fact extraction. That is dangerous because it silently upgrades the skill from evidence-constraining support tooling into decision-shaping analysis, allowing it to bias or redirect the user's workflow under an innocuous skill name.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This pipeline is designed to generate and overwrite a very large set of workspace artifacts, yet it does not appear to require an explicit user-facing confirmation before making broad changes. In an agent setting, that creates a real integrity risk: an ambiguous trigger or mistaken routing decision could cause large-scale file creation, regeneration, or replacement across the workspace, potentially destroying user work or contaminating project state.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The routing hints include very broad trigger terms such as "idea," "brainstorm," and common Chinese equivalents, which can cause this pipeline to activate for loosely related user requests. Over-broad routing increases the chance of unintended pipeline execution, artifact creation, and downstream skill chaining that does not match user intent, which is a real security and safety issue in agentic systems even without network access.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The routing hint includes the generic term "tutorial," which is broad enough to match many unrelated user requests and can cause this pipeline to be invoked unintentionally. In an agent system, over-broad routing increases the chance of the wrong workflow producing or modifying artifacts, which can lead to confusion, scope drift, or unsafe cross-task execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal