PDF Report

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed PDF report generator; its local installs and persistent Python environment deserve review but fit the stated purpose.

Install only if you are comfortable running the listed apt-get and pip commands. Prefer a pinned or freshly recreated virtual environment for reproducibility, keep input/output paths inside the workspace, and remove ~/.openclaw/workspace/.venv_pdf if you stop using the skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill instructs the agent to read JSON and template files, write PDFs/HTML, and use a Python environment, but it declares no permissions. This mismatch is a real security issue because it hides the skill's actual capabilities from any permission or policy layer and can lead to unintended file access or modification within the workspace.

Session Persistence

Medium

Category: Rogue Agent
Content: sudo apt-get install -y libpango-1.0-0 libpangocairo-1.0-0 libgdk-pixbuf2.0-0 libffi-dev libcairo2 ``` Create a virtual environment and install Python dependencies (one-time): ```bash python3 -m venv ~/.openclaw/workspace/.venv_pdf
Confidence: 85% confidence
Finding: Create a virtual environment and install Python dependencies (one-time): ```bash python3 -m venv ~/.openclaw/workspace/.venv_pdf ~/.openclaw/workspace/.venv_pdf/bin/pip install weasyprint jinja2 ```

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal