ClawHub

paper-view

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PaperView API helper, but it sends user-provided data or document URLs to PaperView and uses a PaperView token.

Install this only if you intend to use PaperView. Do not send confidential datasets, private paper links, regulated data, secrets, or unpublished material unless you are comfortable with PaperView processing it; keep the API token in an environment variable and avoid pasting it into shared chats or files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill description is broad enough to trigger on many generic visualization, charting, figure-generation, or document-analysis requests, which can cause the agent to route user data to this third-party API in situations where the user did not specifically ask for PaperView. Because the skill transmits raw data and document URLs externally, overbroad invocation increases the chance of unintended disclosure and surprise data handling.

Natural-Language Policy Violations

Low
Confidence
88% confidence
Finding
The instruction to always render and open results visually can override user preference and cause automatic opening of browser content or local HTML files without confirmation. While not directly code execution by itself, it creates an unnecessary action that may leak data to third-party CDNs, surprise the user, or increase exposure to unsafe rendered content.

External Transmission

Medium
Category
Data Exfiltration
Content
- **Scientific:** violin, manhattan, volcano, forest, survival, roc, venn, upset, enrichment, circos, waterfall

```bash
curl -X POST \
  -H "Authorization: Bearer $PAPERVIEW_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
97% confidence
Finding
curl -X POST \ -H "Authorization: Bearer $PAPERVIEW_API_TOKEN" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**Example — from text description:**

```bash
curl -N -X POST \
  -H "Authorization: Bearer $PAPERVIEW_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
95% confidence
Finding
curl -N -X POST \ -H "Authorization: Bearer $PAPERVIEW_API_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "template_type": "custom_text_only", "custom_prompt": "A flowchart: Data C

External Transmission

Medium
Category
Data Exfiltration
Content
| `max_words` | integer | No | Max keywords to return (default: 100) |

```bash
curl -X POST \
  -H "Authorization: Bearer $PAPERVIEW_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
96% confidence
Finding
curl -X POST \ -H "Authorization: Bearer $PAPERVIEW_API_TOKEN" \ -H "Content-Type: application/json" \ -d

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal