ClawHub

Auto Research

Security checks across malware telemetry and agentic risk

Overview

This is a real research skill, but it needs review because it can use stored credentials, send research content to external services, and leave persistent helper code and data behind.

Before installing, review the scripts and only use this skill for topics you are comfortable sending to web search and embedding services. Set your own BRAVE_API_KEY, OPENAI_API_KEY, OBSIDIAN_VAULT, QDRANT_URL, and Redis settings explicitly; do not rely on bundled defaults. Check or remove the generated helper path after use, and avoid researching confidential, regulated, or proprietary subjects unless your Obsidian, Redis, Qdrant, and OpenAI data handling are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The script's stated purpose is to perform web research and write a briefing, but it also forwards the generated output into a vectorization workflow tied to a remote Qdrant instance. This expands data handling beyond the obvious task boundary and can expose sensitive research topics or generated notes to another service without clear user awareness or consent.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script falls back to reading an OpenAI API key from a local auth profile file and then exports it for use, which is sensitive credential access beyond simple argument handling. While the script’s purpose does require an API key for embeddings, silently harvesting it from another local configuration source without explicit user consent or disclosure creates unnecessary credential exposure and weakens trust boundaries.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises autonomous research and storage into an Obsidian vault and Qdrant, but it does not clearly warn users that prompts, collected content, and generated outputs may be persisted in local and external systems. This can lead users to submit sensitive topics or proprietary data without understanding that the information will be stored and made retrievable later.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The configuration section lists Brave Search, Qdrant, and Redis endpoints, but the skill does not explicitly tell users that research topics, source metadata, and possibly processed content are sent over the network to those services. In a research tool, users may assume they are only performing local note generation, so the omission increases the risk of unintended disclosure of confidential interests, internal projects, or regulated information.

Missing User Warnings

High
Confidence
99% confidence
Finding
A hardcoded Brave API key is embedded directly in the script, which exposes a credential to anyone with file access and encourages secret reuse across environments. Leaked API credentials can be abused for unauthorized API consumption, billing impact, service quota exhaustion, or attribution of malicious activity to the owner.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script transmits the user-provided research topic to Brave Search without an explicit warning or consent step. Research topics can contain confidential business plans, internal project names, regulated subjects, or personal data, so silent external transmission creates a privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script writes generated content directly into the user's Obsidian vault, which is a persistent knowledge repository that may sync to other devices or cloud services. Automatic writes without clear notice can pollute trusted notes, introduce sensitive content into synced storage, or create misleading records the user did not intend to save.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
After creating the report, the script passes the file path, topic, and sources into a vectorization subprocess with no explicit disclosure. Because this likely results in further parsing, embedding, or transmission to another service, it broadens exposure of collected data beyond the initial research task in a way users may not expect.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The fallback cache stores arbitrary values in /tmp, which is a shared, world-accessible location on many systems. Even though filenames are hashed, the cached content may contain sensitive research data or tokens and could be read, tampered with, or race-attacked by other local users if directory permissions are not locked down.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Cached values are sent to Redis over the network, and the script does not enforce TLS or verify that the endpoint is trustworthy. If the cache contains sensitive data, it may be exposed to interception, unauthorized access on the Redis server, or unintended persistence outside the local host.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description advertises the skill for very broad use cases such as researching 'any topic' and conducting multi-source research without meaningful constraints, exclusions, or safety boundaries. In an agent setting, this can cause over-invocation and make the skill a default tool for untrusted or sensitive tasks, increasing the chance of unsafe web access, data collection, or downstream processing beyond intended scope.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script silently writes a new executable helper program to disk and then runs it, introducing code-generation and execution behavior that users may not expect from a vectorization utility. This expands the attack surface, complicates review, and makes it easier to smuggle additional behavior such as data collection or network activity without clear notice.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The generated Python code sends document text to the OpenAI embeddings API, which is an external service, without any explicit disclosure or consent flow. Research documents may contain proprietary, regulated, or otherwise sensitive information, so transmitting content off-host can create confidentiality and compliance risks.

Missing User Warnings

Low
Confidence
88% confidence
Finding
Reading API credentials from a local auth profile without prominently disclosing that behavior is a sensitive operation, especially in an agent skill context where users may not expect lateral access to other tool credentials. Even if the credential is used for the stated purpose, undisclosed secret access erodes least-astonishment and can expose more secrets than intended.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal