ClawHub

PharmaAI

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a prototype drug-discovery tool, but it advertises safety-related ADMET and Lipinski analysis that the code does not actually compute and includes unrelated ClawHub token/publishing instructions.

Treat this as a review-needed prototype, not a dependable drug-safety tool. Do not rely on its ADMET or Lipinski fields for research or safety decisions unless they are replaced with real validated calculations, and do not follow the bundled ClawHub token or publishing instructions unless you are intentionally maintaining/publishing the skill. Install only in a controlled environment with pinned dependencies and trusted model files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This document includes ClawHub authentication and skill publishing instructions that are unrelated to the advertised pharmaceutical-analysis functionality. In a skill package, unrelated operational guidance can normalize privilege use and credential handling beyond the stated purpose, increasing the chance that users expose secrets or perform unintended platform actions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The file broadly documents account login, token acquisition, token storage, and skill publishing, none of which are justified by the pharmaceutical-analysis use case. This expands the skill's effective scope into credentialed platform operations, which is risky because users may trust the skill package and follow steps that expose tokens or grant unnecessary access.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The function advertises ADMET evaluation and Lipinski-related output but returns hardcoded placeholder values instead of computed results. In a drug-discovery context, users may rely on these fields for scientific or safety decisions, causing materially misleading risk assessment and potentially unsafe prioritization of compounds.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill metadata claims ADMET assessment and Lipinski rule validation, but this code always returns fixed values such as 'Medium' and true without performing any analysis. Because the skill is intended for pharmaceutical screening, this mismatch is especially dangerous: it can create false confidence in compound developability and safety properties.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The guide instructs users to pass API tokens directly on the command line and to write tokens into files using shell commands. Command-line arguments may be exposed via shell history, process listings, logs, or audit systems, and plain file writes can leave recoverable secrets on disk if not handled carefully.

Unpinned Dependencies

Low
Category
Supply Chain
Content
rdkit>=2023.0.0
scikit-learn>=1.3.0
numpy>=1.24.0
joblib>=1.3.0
Confidence
94% confidence
Finding
rdkit>=2023.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
rdkit>=2023.0.0
scikit-learn>=1.3.0
numpy>=1.24.0
joblib>=1.3.0
Confidence
97% confidence
Finding
scikit-learn>=1.3.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
rdkit>=2023.0.0
scikit-learn>=1.3.0
numpy>=1.24.0
joblib>=1.3.0
Confidence
95% confidence
Finding
numpy>=1.24.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
rdkit>=2023.0.0
scikit-learn>=1.3.0
numpy>=1.24.0
joblib>=1.3.0
Confidence
98% confidence
Finding
joblib>=1.3.0

Known Vulnerable Dependency: joblib — 3 advisory(ies): CVE-2022-21797 (joblib vulnerable to arbitrary code execution); CVE-2022-21797 (The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Exec); CVE-2024-34997 (joblib v1.4.2 was discovered to contain a deserialization vulnerability via the )

Critical
Category
Supply Chain
Confidence
88% confidence
Finding
joblib

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal