REVIEW 2 major objections 10 minor 34 references
LLMs hallucinate resource names — attackers can squat them for botnets
Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →
T0 review · glm-5.2
2026-07-09 10:54 UTC pith:SOONOOV3
load-bearing objection New attack class: LLM hallucination squatting against agentic apps — real, but end-to-end evidence is narrow the 2 major comments →
Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting
The pith
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The central discovery is that LLM hallucinations of resource identifiers are not random errors but predictable, transferable, and exploitable at scale. The paper demonstrates this through three findings: (1) For repositories created after a model's training cutoff, foundational LLMs hallucinate the repository owner in 92% of cases (vs. 0.9% for older repositories), with a self-referential pattern (repo-name/repo-name) appearing across all six model families tested and serving as the top hallucination in 15 of 60 repository-model combinations. (2) These hallucinations transfer from the foundational model layer into production applications, where they manifest as executed git clone commands or
What carries the argument
The attack pipeline operates in six steps: (0) Preparation — the attacker identifies trending resources, probes an LLM to compute a distribution over hallucinated identifiers, identifies the highest-probability squattable candidate (the universal squatting candidate, computed via Algorithms 1 and 2 which aggregate per-model distributions into a cross-model consensus score), registers that identifier, and embeds promptware. (1) Trigger — a user issues a routine prompt like 'clone librepods' or 'install skill vetter'. (2) Planning — the agentic application uses its LLM to plan resource retrieval. (3) Hallucination — the LLM fabricates the missing identifier component (e.g., the GitHub owner),产
Load-bearing premise
The attack's real-world scalability depends on hallucinated identifiers being both registrable and concentrated enough that a small number of registrations intercept a meaningful fraction of user traffic. The paper's own data shows high variance: some repository-model combinations produce up to 91 distinct hallucinated slugs, the top universal candidate captures only 9–35% of hallucinations per repository, and end-to-end success is measured against a single carefully selected
What would settle it
The attack would fail to scale if hallucinated identifiers were uniformly distributed across hundreds of distinct values (making any single registration ineffective), if platforms enforced global name uniqueness preventing namespace squatting, or if agentic applications universally enforced search-before-fetch workflows. The paper's own data shows that four of six models in Cursor CLI invoke web search 59–99% of the time, dropping hallucination to 1.5–8% — suggesting that mandatory search would largely close the vulnerability.
If this is right
- Agentic applications that integrate terminal access and retrieve external resources by partial names are vulnerable to a new class of supply-chain-style attack where the supply chain is the LLM's own prediction errors, not a compromised package registry.
- Web search before resource retrieval is the most effective mitigation identified: when applications search before fetching, 93.4% of outcomes are correct; without search, 99.1% are hallucinated. But search is invoked inconsistently — skipped in 32% of slug-producing runs — and depends on both the model and prompt phrasing, meaning no prompt is universally safe.
- The self-referential hallucination pattern enables a zero-probing attack: an attacker who registers the repo-name username for each new GitHub Trending entry intercepts hallucinated clones across all models without ever querying an LLM, lowering the attack barrier to near zero.
- Platforms like GitHub and ClawHub face a structural dilemma: allowing namespace-based registration (owner/repo) enables squatting, but eliminating namespaces breaks existing addressing. The paper's disclosure responses show most vendors classify this as out-of-scope for bug bounties, treating it as expected behavior rather than a platform vulnerability.
- The attack surface extends beyond repositories and skills to any platform where LLMs resolve partial identifiers to full resource locations — Docker Hub, Hugging Face, package registries, and the broader web.
Where Pith is reading between the lines
- The training-cutoff boundary creates a temporal vulnerability window: any resource that becomes popular after a model's training data was collected is a candidate for hallusquatting until the next model update. This means the attack surface regenerates continuously as new trending resources appear faster than models are retrained.
- The concentration of hallucinations varies sharply across models (some lock onto a single slug in 90%+ of runs, others distribute across up to 91 distinct slugs), which means the attack's real-world success rate depends heavily on the victim's specific model and application configuration. The paper's end-to-end results are measured against a single case-study target (librepods) where the self-refe
- If platforms adopt proactive registration of likely hallucinated identifiers (analogous to typosquatting defenses), this creates an arms race: the defender must predict the same distribution the attacker predicts, but the defender must cover all models while the attacker needs only one registrable slug to succeed.
- The word-removal vulnerability in skill installation (V1) is caused by the over-representation of the token 'skill' in ClawHub's install-guidance documentation loaded into the agent's context — suggesting that any boilerplate documentation repeatedly exposing a token creates a systematic stripping bias that can be exploited for any resource type with similar documentation patterns.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper introduces 'adversarial hallucination squatting,' a technique where an attacker identifies trending resources (GitHub repositories, ClawHub skills), predicts LLM-hallucinated resource identifiers via probing, preemptively registers those identifiers, and embeds promptware payloads. The work spans two attack surfaces: (1) repository squatting against coding assistants (Cursor, Windsurf, Gemini CLI, Copilot, Cline) and (2) skill squatting against personal assistants (OpenClaw, ZeroClaw, NanoClaw). The foundational-layer experiments (Section 3.3) systematically measure hallucination rates across six LLMs and 15 repositories, finding near-100% hallucination for recent repositories and near-0% for old ones. The application-layer experiments (Section 3.4) measure how hallucinations propagate into production assistants and how web search mitigates them. End-to-end attacks (Table 1) demonstrate RCE and tool invocation at rates of 20-100% across applications. The skill-squatting experiments (Section 4) identify two vulnerability classes (V1: word removal, V2: display-name/slug divergence) and demonstrate 90%+ squat rates across skills and assistants. The paper includes responsible disclosure to all affected vendors and IRB approval.
Significance. The paper makes a significant contribution to the promptware and LLM security literature by identifying a novel, scalable, untargeted attack vector that requires no direct injection channel. The foundational-layer experiments are rigorous: 14,000+ runs across six LLMs, well-controlled with old-repository baselines (Table 3), and the universal scoring algorithm (Algorithms 1-2) provides a principled, parameter-light method for ranking squatting candidates. The discovery that self-referential slugs (repo-name/repo-name) enable a zero-probing attack is a particularly sharp and actionable finding. The skill-squatting analysis (V1/V2 classes) is well-structured and the cross-assistant transferability results (Table 11) are convincing. The responsible disclosure process, with documented vendor responses, adds practical value. The paper's core insight—that LLM hallucination is predictable, transferable, and exploitable for untargeted promptware—is both novel and well-supported by the breadth of experimentation.
major comments (2)
- §3.4.4, Table 1: The end-to-end attack results (20-65% RCE across coding assistants) are demonstrated exclusively against the librepods repository, which has an unusually favorable hallucination concentration (51-57% universal score, Table 13). Table 5 shows that for the other 10 trending repositories, the top-1 universal candidate captures only 9-35% of hallucinations, and the top-5 together capture 24-84%. The central scalability claim would be substantially strengthened by at least one additional end-to-end demonstration against a repository with less favorable concentration (e.g., Kronos at 13.9% or Archon at 16.7%). Without this, the reader cannot assess how the end-to-end success rate degrades for typical repositories. The authors should either provide such a demonstration or explicitly scope the Table 1 results as a best-case bound and discuss the expected degradation.
- §3.4.1: Four of six models in Cursor CLI invoke web search 59-99% of the time, dropping hallucination to 1.5-8% for recent repositories. This means the end-to-end attack (Table 1) is only viable for the two Claude models that avoid search. The paper's framing of the attack as 'universal across multiple LLM coding assistants' (Insight 7) should be qualified: the attack is universal across the tested applications, but its success is heavily conditioned on the model's search behavior. The paper should clarify which models were used in the end-to-end trials (Table 1 does not specify the model for each application) and report the per-model end-to-end success rate, so the reader can assess whether the 20-65% figures reflect search-avoiding models or an average across all models including search-prone ones.
minor comments (10)
- Abstract: 'from the Inte' appears to be a truncation; should read 'from the Internet.'
- §1, paragraph 4: 'comprised resource' should be 'compromised resource.' This typo recurs in the threat model description.
- Table 1: The 'Overall' column is unlabeled in the caption; it should be defined as the product of resource-fetched rate and payload-execution rate, or whatever aggregation method was used.
- Table 1: Sample sizes are inconsistent (20 trials for coding assistants, 10 for OpenClaw/ZeroClaw/NanoClaw). The caption should note this and explain the rationale for the different sample sizes.
- §3.3.1: The mean hallucination rate of 92.4% for recent repositories is reported, but the per-model means in Table 3 range from 72.3% (Opus) to 100% (Gemini Flash/Pro). The text should clarify whether 92.4% is the mean across all 60 (repo, model) combinations or the mean of per-model means.
- §3.3.2, Insight 3: The claim that 'every trending repository has at least one registrable squatting candidate within the top 10 universal scores' is strong but the supporting data (Table 5) only shows the top-1 candidate. The full top-10 rankings should be referenced or included in the appendix to support this claim.
- §4.2, V2 non-English sub-case: The claim that ClawHub's similarity search is 'dominated by English tokens' is plausible but not independently verified. A brief analysis of the search ranking algorithm or a controlled experiment varying the documentation language would strengthen this claim.
- §7 (Limitations): The discussion of malware detection bypass is brief and relies on external references. The paper should state more directly that the end-to-end experiments used locally modified payloads (not published malicious content) and that the actual detection rate of platform scanning mechanisms was not tested.
- Table 5 caption: 'Score: probability score across all six models' is ambiguous. It should clarify whether this is the universal score from Algorithm 2 (sum of normalized per-model distributions divided by |M|) or a simple average.
- §3.4.4: The phrase 'payload sophistication as a lower bound' is used but the two payloads tested (explicit AI-targeting markers vs. disguised utility script) represent a narrow range. The claim that results constitute a 'lower bound on attacker capability' should be qualified or the payload spectrum should be documented.
Simulated Author's Rebuttal
We thank the referee for a careful and constructive review. Both major comments are well-taken and point to legitimate gaps in how the end-to-end results are scoped and contextualized. We address each below.
read point-by-point responses
-
Referee: §3.4.4, Table 1: The end-to-end attack results (20-65% RCE across coding assistants) are demonstrated exclusively against the librepods repository, which has an unusually favorable hallucination concentration (51-57% universal score, Table 13). Table 5 shows that for the other 10 trending repositories, the top-1 universal candidate captures only 9-35% of hallucinations, and the top-5 together capture 24-84%. The central scalability claim would be substantially strengthened by at least one additional end-to-end demonstration against a repository with less favorable concentration (e.g., Kronos at 13.9% or Archon at 16.7%). Without this, the reader cannot assess how the end-to-end success rate degrades for typical repositories. The authors should either provide such a demonstration or explicitly scope the Table 1 results as a best-case bound and discuss the expected degradation.
Authors: The referee is correct that the end-to-end results in Table 1 are demonstrated exclusively against librepods, which has an unusually favorable hallucination concentration (51-57% universal score). We agree that this leaves the reader unable to assess how the attack degrades for repositories with lower concentration. We will address this in two ways. First, we will explicitly scope the Table 1 results as a best-case bound in the revised manuscript, adding a paragraph in Section 3.4.4 that clarifies librepods was selected as a case study due to its high concentration and that the reported success rates should be interpreted as an upper bound on end-to-end effectiveness for a single registered squat. Second, we will add a discussion of expected degradation: for repositories like Kronos (13.9% top-1 universal score) or Archon (16.7%), the resource-fetch rate would scale proportionally to the universal score, and the overall end-to-end success rate would be the product of the fetch rate and the payload execution rate (which we observed to be relatively stable across assistants at 50-100%). We will include a back-of-envelope extrapolation table or paragraph. We note that the self-referential zero-probing attack (Insight 3) provides an additional attack path that does not depend on concentration at all, which partially mitigates the concentration concern for repositories where the self-referential slug is registrable. However, we agree that an additional end-to-end demonstration against a less favorable repository would be the strongest response, and we will attempt to conduct one against Kronos or Archon if time and ethical constraints permit before the camera-ready deadline. If we cannot complete it in time, the scoping and degradation discussion will be included regardless. revision: partial
-
Referee: §3.4.1: Four of six models in Cursor CLI invoke web search 59-99% of the time, dropping hallucination to 1.5-8% for recent repositories. This means the end-to-end attack (Table 1) is only viable for the two Claude models that avoid search. The paper's framing of the attack as 'universal across multiple LLM coding assistants' (Insight 7) should be qualified: the attack is universal across the tested applications, but its success is heavily conditioned on the model's search behavior. The paper should clarify which models were used in the end-to-end trials (Table 1 does not specify the model for each application) and report the per-model end-to-end success rate, so the reader can assess whether the 20-65% figures reflect search-avoiding models or an average across all models including search-prone ones.
Authors: The referee raises a valid and important point. Table 1 does in fact specify the model for each application (e.g., Cursor with Sonnet 4.5, Cursor CLI with Grok Code, Gemini CLI with Gemini 2.5, Windsurf with SWE-1.5, Copilot Chat with GPT-4.1, Cline with KAT-Coder-Pro V1), but we agree that the connection between these model choices and the search-behavior findings in Section 3.4.1 is not made explicit. The end-to-end trials used the default model for each application, and several of these models (e.g., Grok Code in Cursor CLI, Gemini 2.5 in Gemini CLI) are indeed models that exhibit lower search rates in our controlled experiments. We will revise the manuscript to: (1) add an explicit note in Section 3.4.4 cross-referencing the model choices in Table 1 with the search behavior results from Section 3.4.1, clarifying that the end-to-end results reflect the default model for each application and that applications whose default models search aggressively would be expected to show lower attack success rates; (2) qualify Insight 7 to state that the vulnerability is universal across the tested applications but that end-to-end success is conditioned on the model's search behavior, as demonstrated in Section 3.4.1; and (3) add a column or footnote to Table 1 indicating the search rate observed for each model in our controlled experiments. We agree that the current framing of Insight 7 overstates universality without this qualification. revision: yes
Circularity Check
No significant circularity; the attack pipeline is self-contained with one minor self-citation that is not load-bearing.
full rationale
The paper's core derivation chain is not circular. The attacker probes LLMs to discover hallucination distributions (Algorithm 1-2), registers resources externally on GitHub/ClawHub, and the victim independently fetches them. The universal score is computed from probing data and validated against separate end-to-end attack trials (Table 1). The self-referential hallucination pattern (repo-name/repo-name) is a structural prediction from the foundational-layer experiments, not a definition that presupposes the attack's success. The one self-citation (Cohen et al. [5], CCS'25) is used only for related-work positioning—contrasting targeted vs. untargeted attacks—and does not serve as a load-bearing premise for any derivation step. The end-to-end results in Table 1 are measured against live production systems, not derived from the authors' prior work. The paper's limitations (single case-study target librepods, web-search reducing hallucination) are correctly characterized as generalizability concerns, not circularity. The derivation is self-contained against external benchmarks (real production applications, real GitHub/ClawHub registrations, real RCE measurements). Score 1 reflects the minor self-citation that is contextual rather than load-bearing, and the absence of any step where a prediction reduces to its inputs by construction. The concern about librepods being an unusually favorable target is a validity/generalizability issue, not a circularity issue—the paper does not define librepods' hallucination rate in terms of the attack outcome, nor does it derive the attack success from a fitted parameter that is then 'predicted.' The probing data (Tables 3, 4, 5, 12, 13) is collected independently from the end-to-end attack measurements (Table 1), and the gap between them (e.g., web search dropping hallucination to 1.5-8%) is honestly reported rather than hidden or defined away. No step in the derivation chain reduces to its own inputs by construction, and no 'prediction' is equivalent to a fitted input renamed. The paper's claims may be overstated relative to its evidence (a correctness risk), but the logical structure of the argument is not circular. Honest non-finding of circularity is warranted here. The paper's own data sometimes contradicts its scalability claims (e.g., 91 distinct slugs for some combinations, 9-35% top-1 capture for non-librepods repos), but this is a problem of overgeneralization from a favorable case study, not of circular reasoning.
Axiom & Free-Parameter Ledger
free parameters (3)
- K (probe count per model) =
100 (foundational), 20-50 (application)
- Universal score weighting =
1/|M| per model
- Trial count for skill experiments =
10
axioms (4)
- domain assumption LLMs hallucinate resource identifiers for resources not in their training data
- domain assumption Hallucinations transfer across model families and to the application layer
- domain assumption Agentic applications trust content from fetched resources
- domain assumption Trending resources generate sufficient user query volume to make squatting worthwhile
invented entities (3)
-
Adversarial HalluSquatting (attack technique)
independent evidence
-
Universal squatting candidate (concept)
independent evidence
-
Agentic botnet (concept)
no independent evidence
read the original abstract
The growing adoption of agentic LLM applications has introduced a new threat previously named as promptware. While prior work has established that adversaries can exploit direct channels to LLM applications to apply promptware under weak threat models, many applications do not provide any direct channels that could be exploited for prompt injection beyond the Internet. This raises a question: can attackers exploit LLM applications at scale without any direct channels in practical threat models? In this work, we show that the inherent tendency of LLMs to hallucinate resource identifiers can be exploited to amplify untargeted promptware attacks that pull adversarial prompts at scale and could be exploited to establish a botnet. We introduce adversarial hallucination squatting, a technique in which attackers identify trending resources (e.g., popular repositories, popular skills, etc.), compute the LLM distribution of hallucinations on the trending resource names, and preemptively register them to host adversarial prompts. By leveraging the predictability and transferability of hallucinations across foundational LLMs and to application layers, adversaries can significantly amplify the reach of untargeted promptware under weak threat models and establish a botnet by exploiting LLM applications to install a bot on the device that pulled the compromised hallucinated resource from the Inter. We empirically demonstrate that hallucinated resource generation occurs at high rates, up to 85% in repository cloning scenarios and up to 100% in skill installation, and that these hallucinations transfer between foundational models and different prompts. We demonstrate the practicality of adversarial hallucination squatting against various production LLM applications with integrated terminals in their set of tools, achieving remote tool execution and remote code execution.
Figures
Reference graph
Works this paper leans on
-
[1]
Sahar Abdelnabi, Kai Greshake, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz. Not what you’ve signed up for: Compromising real-world llm-integrated applications with indirect prompt injection. InProceedings of the 16th ACM Workshop on Artificial Intelligence and Security, pages 79–90, 2023
work page 2023
-
[2]
Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. Understanding the mirai botnet. In26th USENIX Security Symposium (USENIX...
work page 2017
-
[3]
Summary zenity research published black- hat
Michael Bargury. Summary zenity research published black- hat. https://labs.zenity.io/p/summary-zenity-research-published- blackhat-2024, 2024
work page 2024
- [4]
-
[5]
Stav Cohen, Ron Bitton, and Ben Nassi. Here comes the ai worm: Preventing the propagation of adversarial self-replicating prompts within genai ecosystems. InProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, pages 3975– 3989, 2025
work page 2025
- [6]
-
[7]
Accessed: 2026-04-29
work page 2026
-
[8]
Evgeniy Gabrilovich and Alex Gontmakher. The homograph attack. Commun. ACM, 45(2):128, February 2002
work page 2002
- [9]
-
[10]
Riley Goodside. Exploiting GPT-3 prompts with malicious inputs that order the model to ignore its previous directions. Twitter, September 2022
work page 2022
-
[11]
Manuel Herrador and Johann Rehberger. Spaiware: Uncovering a novel artificial intelligence attack vector through persistent memory in llm applications and agents.Future Generation Computer Systems, 174:107994, 2026
work page 2026
-
[12]
T. Holgers, D. E. Watson, and S. D. Gribble. Cutting through the confusion: A measurement study of homograph attacks. InUSENIX Annual Technical Conference, 2006
work page 2006
-
[13]
A survey of attack in- stances of cryptojacking targeting cloud infrastructure
Keshani Jayasinghe and Guhanathan Poravi. A survey of attack in- stances of cryptojacking targeting cloud infrastructure. InProceedings of the 2020 2nd Asia Pacific Information Technology Conference, APIT ’20, page 100–107, New York, NY , USA, 2020. Association for Computing Machinery
work page 2020
-
[14]
Cloak and detonate: Scanner evasion and dynamic detection of agent skill malware, 2026
Zimo Ji, Congying Xu, Zongjie Li, Yudong Gao, Xin Wei, Shuai Wang, and Shing-Chi Cheung. Cloak and detonate: Scanner evasion and dynamic detection of agent skill malware, 2026
work page 2026
-
[15]
Importing Phantoms: Measuring LLM Package Hallucination Vulnerabilities
Arjun Krishna, Erick Galinkin, Leon Derczynski, and Jeffrey Martin. Importing phantoms: Measuring llm package hallucination vulnera- bilities.arXiv preprint arXiv:2501.19012, 2025
work page internal anchor Pith review Pith/arXiv arXiv 2025
-
[16]
Naveen Kumar, Xiahua Wei, and Han Zhang. Agentic artificial intel- ligence as a new frontier in information systems: Promise, peril, and research opportunities.Information & Management, page 104317, 2026
work page 2026
-
[17]
Vercel breach tied to Context AI hack exposes limited customer credentials.The Hacker News, 2026
Ravie Lakshmanan. Vercel breach tied to Context AI hack exposes limited customer credentials.The Hacker News, 2026
work page 2026
-
[18]
Xiaofan Li and Xing Gao. Investigating security implications of automatically generated code on the software supply chain.arXiv preprint arXiv:2509.20277, 2025
-
[19]
Xixun Lin, Yucheng Ning, Jingwen Zhang, Yan Dong, Yilong Liu, Yongxuan Wu, Xiaohua Qi, Nan Sun, Yanmin Shang, Kun Wang, et al. Llm-based agents suffer from hallucinations: A survey of taxonomy, methods, and directions.arXiv preprint arXiv:2509.18970, 2025
-
[20]
Ben Nassi, Stav Cohen, and Or Yair. Invitation is all you need! promptware attacks against llm-powered assistants in production are practical and dangerous.arXiv preprint arXiv:2508.12175, 2025
work page internal anchor Pith review Pith/arXiv arXiv 2025
-
[21]
Ben Nassi, Bruce Schneier, and Oleg Brodt. The promptware kill chain: How prompt injections gradually evolved into a multi-step malware.arXiv preprint arXiv:2601.09625, 2026
- [22]
-
[23]
ClawHub skill format specifica- tion
OpenClaw Contributors. ClawHub skill format specifica- tion. https://github.com/openclaw/clawhub/blob/main/docs/skill- format.md, 2026. Accessed: 2026-04-18
work page 2026
- [24]
-
[25]
Trust No AI: Prompt Injection Along The CIA Security Triad
Johann Rehberger. Trust no AI: Prompt injection along the CIA security triad.arXiv preprint arXiv:2412.06090, 2024
work page internal anchor Pith review Pith/arXiv arXiv 2024
- [26]
-
[27]
Joseph Spracklen, Raveen Wijewickrama, AHM Nazmus Sakib, Anindya Maiti, and Bimal Viswanath. We have a package for you! a comprehensive analysis of package hallucinations by code generating {LLMs}. In34th USENIX Security Symposium (USENIX Security 25), pages 3687–3706, 2025
work page 2025
-
[28]
The long “Taile” of typosquatting domain names
Janos Szurdi, Balazs Kocso, Gabor Cseh, Jonathan Spring, Mark Felegyhazi, and Chris Kanich. The long “Taile” of typosquatting domain names. In23rd USENIX Security Symposium (USENIX Security 14), pages 191–206, 2014
work page 2014
-
[29]
Library Hallucinations in LLM-Generated Code: A Risk Analysis Grounded in Developer Queries
Lukas Twist, Jie M Zhang, Mark Harman, and Helen Yannakoudakis. Library hallucinations in llms: Risk analysis grounded in developer queries.arXiv preprint arXiv:2509.22202, 2025
work page internal anchor Pith review Pith/arXiv arXiv 2025
-
[30]
Prompt injection attacks against GPT-3
Simon Willison. Prompt injection attacks against GPT-3. Blog post, September 2022
work page 2022
-
[31]
https://github.com/zeroclaw-labs/zeroclaw, 2026
ZeroClaw Labs. https://github.com/zeroclaw-labs/zeroclaw, 2026. Accessed: 2026-04-29
work page 2026
-
[32]
print a shell command to clone librepods
Appendix - Repository Squatting 10.1. Determining Universal LLM Squatting Can- didates To identify a universal squatting candidate, the attacker uses Algorithm 1 and Algorithm 2. Algorithm 1 computes a normalized distribution of candidates for a single model, showing how often each candidate appears under repeated queries. Algorithm 2 extends this to a se...
-
[33]
print a shell command to install skill vetter
Appendix - Skill Squatting 11.1. ClawHub Search Results for Non-English V2 Skills Tables 16, 17, and 18 report the top-10 entries returned by the ClawHub similarity-search API for the three non- English V2 skills evaluated in Section 4.2. In every listing the canonical Chinese-documented skill is absent from the top 10, while the top-1 slot is occupied by...
-
[34]
install Financial Search Engine
Full install-command outputs:<github-artefact-url>(to be added). Slug Display Name Score financial-search-engineFinancial Search Engine 3.134 multi-search-engineMulti Search Engine 1.369 multi-search-engine-simpleMulti Search Engine [Chinese: Minimalist Domestic Edition] 1.160 multi-search-engine-2-0-1Multi Search Engine 2.0.1 1.129 bailian-web-searchBail...
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.