ClawHub

Citation Anchoring

Security checks across malware telemetry and agentic risk

Overview

The stated citation-checking workflow is local and coherent, but the package includes extra pipeline tooling that users should avoid unless they intend to review and use it.

Use this skill only for the documented citation drift check: it should read the draft and baseline anchor file and write the citation anchoring report. Do not run the bundled pipeline executor or unrelated research pipeline files unless you have reviewed them and want those broader workspace mutations. Verify that the baseline anchor file matches the draft version you intend to audit.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
log_path = workspace / log_rel

    try:
        completed = subprocess.run(cmd, check=False, capture_output=True, text=True)
        if completed.stdout or completed.stderr or completed.returncode != 0:
            ensure_dir(log_path.parent)
            body = [
Confidence
93% confidence
Finding
completed = subprocess.run(cmd, check=False, capture_output=True, text=True)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This utility module exposes extensive file-system mutation and workflow-management functionality, including writing, replacing, backing up, copying trees, and modifying workspace decision/status files, which is far broader than the stated analysis-only citation-anchoring purpose. In a skill that claims 'Network: none' and 'Guardrail: analysis-only; do not edit content,' bundling broad mutation primitives materially increases the chance that the skill can alter project state, bypass expected scope limits, or be repurposed for unintended workspace changes.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The file contains workflow orchestration, approval-checklist mutation, pipeline resolution, and query-seeding logic unrelated to citation anchoring, indicating substantial hidden capability beyond the advertised task. In the context of a narrowly scoped regression-check skill, this creates an unnecessary attack surface and enables unauthorized manipulation of workspace state, research configuration, or process controls if invoked directly or indirectly.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file is a general workflow executor that changes unit state, updates status logs, blocks/unblocks work, and drives external skill execution. That behavior materially exceeds the declared scope of a citation-anchoring regression checker, so the skill packaging is misleading and gives an analysis-only tool the ability to orchestrate and mutate the workspace.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
A citation-stability checker should only compare document structure and citation anchors, but this code constructs and runs a generic command invoking `scripts/run.py`. That grants arbitrary execution capability unrelated to the stated purpose, increasing the risk of harmful side effects or abuse through manipulated unit metadata or repository contents.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The code mutates `UNITS.csv`, `STATUS.md`, and `DECISIONS.md`, including automatically marking work DONE and setting approvals. For a skill whose guardrail says analysis-only and do not edit content, these state mutations violate user expectations and can alter workflow outcomes without a separate trusted control plane.

Scope Creep

Medium
Confidence
92% confidence
Finding
The code appends run errors, updates logs, and can write approvals and status changes in the local workspace. While not networked, this still exceeds the declared guardrail and broadens the skill's effective permissions beyond analysis, which is dangerous in an environment expecting least privilege.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file implements broad research-ideation, ranking, reporting, and memo-generation workflows that are unrelated to a citation-anchoring regression checker. That mismatch is dangerous because a skill advertised as narrow, analysis-only, and no-network can still be used to generate and persist unrelated artifacts, violating least-privilege expectations and increasing the chance of unauthorized workspace manipulation or prompt-scope abuse.

Scope Creep

High
Confidence
96% confidence
Finding
The code defines helpers that write JSONL, JSON, and Markdown files to arbitrary paths, which conflicts with the manifest's 'analysis-only; do not edit content' guardrail. In context, this is risky because the skill can create or overwrite artifacts in the workspace, enabling unintended modification, persistence, or clobbering under the guise of a read-only regression check.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The presence of ideation, screening, prioritization, and report-building capabilities is unjustified for a citation-stability checker and materially expands the skill's operational scope. In this context, the excess capability makes the skill more dangerous because users and orchestrators may trust it as a narrow verifier while it can process broader inputs and produce persuasive downstream artifacts that were never authorized.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file is a monolithic quality gate for many unrelated pipeline stages, while the skill is described as citation-anchoring only. Such overbroad authority violates least privilege: invoking this skill can trigger checks and side effects unrelated to citation anchoring, increasing the chance of unintended file access, writes, and execution paths in contexts that expected analysis-only behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
PDF/LaTeX inspection is unrelated to citation anchoring and expands the skill's effective capabilities into local document parsing and external tool invocation. In a security-sensitive agent setting, this mismatch matters because users may grant trust based on the declared scope while the implementation can inspect additional artifacts and invoke system binaries.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The module performs extensive retrieval, evidence, section-writing, and contract auditing far beyond the stated purpose of checking citation anchoring drift. This broadens access to many workspace artifacts and creates hidden behavior that can influence or block unrelated pipeline stages, making the skill more dangerous because its real authority exceeds its advertised purpose.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The routing_hints list includes broad everyday terms such as "idea," "brainstorm," and generic Chinese equivalents, which can cause this pipeline to be selected for loosely related user requests. That increases the chance of unintended invocation, misrouting, and execution of a complex research workflow when a simpler or different skill should have handled the request.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The routing hint list includes the generic English term "review", which is broad enough to match many ordinary user requests unrelated to formal peer review. That can cause unintended invocation of this pipeline, leading the agent to apply the wrong workflow, generate inappropriate artifacts, or expose unrelated content to a review-oriented process.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The subprocess is executed immediately once a runnable unit is found, without any user-facing confirmation at the point of execution. In the context of an ostensibly analysis-only skill, silent execution makes unintended code running more dangerous because operators may believe they are performing a passive regression check.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal