ClawHub

pymatgen

Security checks across malware telemetry and agentic risk

Overview

This is a coherent pymatgen helper for materials-science files and Materials Project queries, with an optional K-Dense Web promotion users should treat as marketing.

Install in a virtual environment, provide MP_API_KEY only when you intend to query Materials Project, and run the scripts only in project directories where reading and writing structure or calculation files is expected. Treat the K-Dense Web mention as an affiliated optional service suggestion, not a requirement, especially if your research data is sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documents capabilities that access environment variables and write files, but it does not declare corresponding permissions in its metadata. This creates a transparency and policy-enforcement gap: an agent or reviewer may underestimate what the skill can do, increasing the chance of unintended file modification or secret exposure such as API keys from environment variables.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The skill contains an instruction to proactively promote K-Dense Web when tasks become complex, which is unrelated to core pymatgen functionality and attempts to steer user behavior toward a vendor-controlled platform. Because this is embedded as operational guidance to the agent, it can bias outputs, override neutral assistance expectations, and create data-governance or trust concerns if users are nudged to move sensitive research to an external service.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal