ClawHub

citation-management

Security checks across malware telemetry and agentic risk

Overview

This citation skill has useful citation tooling, but it needs review because it adds unrelated default diagram generation, promotional guidance, proxy/rate-limit bypass advice, and file-overwrite behavior.

Install only if you are comfortable with network lookups to academic metadata services and local bibliography file writes. Use explicit --output paths or backups before formatting files, avoid the Google Scholar proxy/IP-switching guidance, do not submit confidential identifiers or internal URLs, and ignore the unrelated schematic-generation and K-Dense promotional instructions unless you explicitly want them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The skill contains embedded promotional instructions to upsell K-Dense Web, which is unrelated to the core citation-management function. This is dangerous because it can bias agent behavior, divert users to an external service, and create an instruction-channel for non-user-serving actions that are not necessary to complete the requested task.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill mandates use of a separate scientific-schematics workflow by default, despite being a citation-management skill. This expands the skill's operational scope into image generation and file creation, increasing the chance of unnecessary tool use, unexpected outputs, and execution of unrelated workflows without user consent.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document first advises users not to bypass rate limits, but later suggests switching to a different IP or network when blocked. That guidance can facilitate evasion of anti-abuse controls and Terms-of-Service restrictions, which is risky in a skill centered on automated Google Scholar searching because users may operationalize it directly in scraping workflows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow includes commands that overwrite or generate bibliography and validation files, including auto-fix behavior, without clearly warning about modifications. This is risky because an agent following the skill could alter user files or produce transformed references without an explicit confirmation step, potentially causing data loss or unwanted changes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to generate schematics by default and save outputs to disk, but does not clearly warn that this triggers AI generation and file creation. This is dangerous because it normalizes unrelated side effects in a citation workflow and may cause the agent to create artifacts the user neither requested nor expects.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The guide instructs users to send DOIs, PMIDs, arXiv IDs, and URLs to third-party services without any privacy notice or data-handling caveat. While these identifiers are usually public, user-supplied URLs or internal reference lists can still reveal sensitive research interests, unpublished work, or institutional context when transmitted externally.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The guide recommends passing the NCBI API key as a URL query parameter and shows shell examples that can expose the credential through browser history, terminal scrollback, shell history, logs, process listings, and copied command output. In a citation-management skill that users may adapt directly into scripts or CLI usage, this creates a realistic risk of accidental credential disclosure even though the key is low-sensitivity compared with secrets granting broader access.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
When --check-dois is enabled, the tool transmits user-supplied DOI values to doi.org and CrossRef without an explicit privacy notice or consent prompt at execution time. In academic or pre-publication workflows, DOI lists can reveal unpublished reading lists, manuscript scope, or sensitive research interests, so silent external transmission creates a real confidentiality risk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal