ClawHub

Bias Assessor

Security checks across malware telemetry and agentic risk

Overview

The skill advertises a narrow bias-table updater, but the package also contains broad research-pipeline tooling that can route work, execute local scripts, and modify many workspace files.

Install only if you intentionally want the broader research-pipeline toolkit, not just a bias-assessment helper. For the advertised bias-assessor task, prefer a package that contains only the SKILL.md workflow or run this in a disposable copy of the review workspace and inspect diffs to `papers/extraction_table.csv`, `UNITS.csv`, `STATUS.md`, `DECISIONS.md`, and `output/` before relying on any results.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
log_path = workspace / log_rel

    try:
        completed = subprocess.run(cmd, check=False, capture_output=True, text=True)
        if completed.stdout or completed.stderr or completed.returncode != 0:
            ensure_dir(log_path.parent)
            body = [
Confidence
95% confidence
Finding
completed = subprocess.run(cmd, check=False, capture_output=True, text=True)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file content is a peer-review pipeline, while the declared skill context is a bias-assessor intended only to add risk-of-bias fields to an extraction table. This mismatch can cause the agent to route into a much broader workflow than the user or policy expects, violating least privilege and enabling unintended processing of manuscripts and review artifacts.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The pipeline invokes manuscript-ingest, claims extraction, evidence auditing, novelty analysis, and rubric writing, which are materially broader than extraction-table augmentation for bias assessment. In a bias-assessor context, this unjustified orchestration increases attack surface, may access unrelated artifacts, and could cause unauthorized or misleading outputs under the guise of a narrowly scoped skill.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file implements a general workflow executor that schedules units, manages approvals, writes logs, and runs arbitrary skill scripts, which materially exceeds the declared scope of a bias-assessor skill. Such scope divergence is dangerous because users may grant trust based on the benign metadata while the code provides a much more powerful orchestration surface.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The subprocess execution path gives this skill the ability to invoke a general runner with workspace-controlled parameters, far beyond what is needed to add RoB fields to a CSV. In the context of a no-network, narrowly scoped analysis skill, this mismatch increases the likelihood that harmful or unauthorized actions could be concealed behind an apparently low-risk interface.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Approval and checkpoint management allow the code to alter workflow state and automatically mark human-gated units as approved or done. For a bias-assessor skill, these orchestration capabilities are unrelated to the stated purpose and can weaken human review guarantees if misused or unexpectedly enabled.

Scope Creep

High
Confidence
99% confidence
Finding
The code modifies numerous workflow control and output files including `UNITS.csv`, `STATUS.md`, `DECISIONS.md`, `output/RUN_ERRORS.md`, unit logs, and quality gate artifacts. That write surface is far broader than the manifest's narrow declared scope, creating opportunities for unauthorized state changes, tampering with audit trails, or persistence of misleading workflow status.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file implements a broad research-ideation and report-generation pipeline rather than the declared bias/risk-of-bias extraction-table skill. That mismatch is dangerous because an agent invoking this skill under the advertised metadata could perform unrelated analysis and generate artifacts outside the user’s expected task, violating least surprise and potentially causing unauthorized workflow changes.

Scope Creep

High
Confidence
97% confidence
Finding
The code contains multiple helpers that write JSON, JSONL, Markdown, appendix, memo, and report artifacts to disk, which exceeds the manifest’s stated extraction-table-only scope. In an agent setting, this can lead to unauthorized file creation and workspace modification, especially if the caller trusts the skill metadata to constrain side effects.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This module implements a large, generic survey-writing and LaTeX quality-gate system that is unrelated to the declared `bias-assessor` skill, which should only add bias/risk-of-bias fields to an extraction table. That mismatch creates a dangerous capability gap: invoking this skill could trigger validation logic, workflow steering, and file writes across many unrelated artifacts, violating least privilege and making unintended workspace manipulation much more likely.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The file includes LaTeX/PDF QA and subprocess-driven PDF inspection inside a skill whose declared purpose is bias assessment with `Network: none`. Even if not directly exploitable as command injection, this adds unjustified execution capability and local file/tool interaction that materially expands what the skill can do beyond user expectations.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The module enforces retrieval, mapping, drafting, citation, evidence, and review checks across an entire survey pipeline, far beyond a narrow bias-assessment task. In the context of this skill, that scope creep is dangerous because it enables broad workflow control and workspace influence under a misleading skill label, increasing the chance of unauthorized or surprising actions.

Scope Creep

Medium
Confidence
90% confidence
Finding
This file contains logic and remediation guidance for network/fulltext retrieval workflows despite the skill metadata declaring `Network: none`. Even if this code itself does not perform the network access, embedding support for network-dependent behavior inside this skill undermines the guardrail and could cause an orchestrator or operator to use the skill in ways that exceed its declared trust boundary.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The pipeline is marked as `routing_default: true` and includes broad routing hints such as `review` and `survey`, which are common terms that can appear in many unrelated user requests. This can cause unintended invocation of the pipeline, leading the agent to enter a heavyweight literature-review workflow when the user did not intend that behavior, increasing misrouting and unintended file/artifact generation risk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The routing hints are very broad and include generic ideation terms such as 'idea' and 'brainstorm', which can cause this pipeline to trigger for many unrelated requests. Because the pipeline performs multi-stage literature retrieval and memo generation, overbroad activation can misroute user intent, invoke unnecessary skills, and produce inappropriate artifacts for tasks that did not request this workflow.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The routing hint `tutorial` is broad and likely to match many generic user requests about learning, teaching, or examples, which can cause the system to select this pipeline when a more specific workflow was intended. In an agentic system, incorrect pipeline selection can misroute work, create unintended artifacts, and bypass narrower task-specific safeguards or expectations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The logger writes the full command line, including workspace path, unit ID, inputs, outputs, and checkpoint values, into a workspace-accessible log file. If those arguments contain sensitive project structure, identifiers, or user-supplied data, this can leak information and create a secondary disclosure surface without any minimization or redaction.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal