ClawHub

Dreamer

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a disclosed drug-delivery molecular design assistant, with expected ML, web research, and local output behavior rather than hidden or destructive activity.

Install only in a sandbox where network access, compute cost, and local output paths are acceptable. Review or clear knowledge_data/latest_research.txt before generation if it may contain private information, and prefer pinned or locally approved model checkpoints for sensitive scientific work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The routing rules rely on broad natural-language intents such as generation, training, recommendation, and optimization without clear exclusions or confirmation gates. In practice, this can misroute ambiguous requests into high-risk workflows, triggering model training, code execution, or sensitive data processing when the user did not explicitly request them.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly directs the agent to scrape ArXiv/news and write results into a local knowledge file, but it does not clearly notify the user before performing network access or persistent local writes. This can expose the environment to unanticipated outbound connections, content ingestion risks, and filesystem side effects, especially because scraped content is later used as model input.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill mandates automatic reading of a local research file as 'short-term memory' prior to generation tasks without clearly informing the user. This creates implicit data access that may pull in sensitive or stale local content and can influence outputs in ways the user cannot see or control.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions are overly broad generic phrases such as '画图' and '生成热力图', which can match many ordinary user requests and cause this skill to activate outside its intended scope. In an agent system, ambiguous routing can expose unrelated user data to the visualization workflow, produce incorrect tool invocation, or create unsafe cross-skill behavior when upstream modules are queried automatically.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are open-ended and map broad user requests like 'find the best molecules' directly to a powerful filtering/recommendation workflow without clear authorization, task boundaries, or safety gating. In a drug-design context, this can cause the agent to over-activate on ambiguous prompts and produce high-value molecular prioritization outputs for requests that were not sufficiently scoped or reviewed.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger conditions are broad and ambiguous, such as activating on requests to generate molecules, train a model, or generate under specific conditions without clear authorization, scope, or safety gates. In a high-impact drug-delivery molecular design skill, this can cause unintended invocation for sensitive scientific tasks, unsafe generation requests, or execution outside the user's actual intent.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger conditions are overly broad, covering general requests like predicting molecular properties or explaining a molecule’s property without clear authorization, dataset, or workflow boundaries. In a high-risk chemistry and drug-delivery context, this can cause unintended activation on sensitive scientific tasks, leading to misuse, overreach into hazardous domains, or analysis of inputs beyond the intended safety envelope.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger conditions are broad natural-language phrases such as '微调模型让它更准' and '加载我的反馈数据优化模型', which can match common user intents beyond this specific high-risk RLHF workflow. In an agent system, this can cause unintended skill activation, leading the agent to initiate model-training or preference-optimization actions on private datasets without sufficient user confirmation or scope checks.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The code loads a model directly from a remote Hugging Face repository at runtime without pinning a specific revision, verifying integrity, or requiring an explicit trust decision from the user. In an agent skill handling scientific workflows, this creates a supply-chain risk: a compromised upstream model or unexpected update could change behavior, exfiltrate sensitive inputs, or introduce unsafe outputs without visibility.

Missing User Warnings

Low
Confidence
91% confidence
Finding
A second independent runtime fetch of the same remote model increases the supply-chain exposure and reduces auditability, since model contents may differ over time if not pinned. In this drug-design context, silent remote dependency resolution is more concerning because downstream decisions may influence scientific analysis and recommendations, making model tampering or drift materially risky.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal