ClawHub

Sci Translation Polish

Security checks across malware telemetry and agentic risk

Overview

This appears to be a writing and academic translation skill with scope-quality concerns, not a skill that installs code, persists access, or handles privileged systems.

Install if you want help translating or polishing academic manuscripts for English-language publication. Before using it on sensitive or unpublished work, be explicit about the target language, whether you want translation or editing only, and whether bilingual output should be preserved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example triggers are broad enough to activate on generic writing requests such as 'polish this' or 'make this publication-ready,' which can cause the agent to invoke this skill outside a clearly bounded academic-translation context. In an agentic system, overly broad routing can override user intent, mis-handle non-academic content, or silently force a specialized transformation workflow when the user did not explicitly request translation/polishing for scholarly publication.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
Mandating English output without an explicit user choice can cause the skill to transform content into a different language even when the user may want bilingual help, partial translation, or editing in the source language. In practice this is a scope and consent problem: the skill can impose an irreversible or undesired output mode, increasing the chance of user-intent misalignment and accidental disclosure or mishandling of sensitive manuscript text in the wrong workflow.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description mandates use whenever users mention broad academic-writing scenarios, not just translation or polishing. This can cause inappropriate auto-invocation, overriding user intent and routing unrelated academic-writing requests into a translation-focused workflow, which may degrade outputs or mishandle sensitive manuscript content.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The metadata instructs the agent to convert content to English whenever certain research-writing topics appear, without checking whether the user wants English output or preserving the user's locale. This creates a user-intent and data-handling risk because content may be transformed into a different language or format than requested, especially in multilingual or policy-sensitive contexts.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal