ClawHub

Markdown to PDF Advanced

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Markdown-to-PDF converter, but it can install unpinned Python packages during normal use and may fetch network resources while rendering documents.

Review before installing. Use this only in a virtual environment or container, preinstall reviewed and pinned dependencies yourself, and avoid converting untrusted Markdown unless remote URLs and local file references have been checked.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Try to install WeasyPrint automatically"""
    print("WeasyPrint not found. Attempting to install...")
    try:
        subprocess.check_call([
            sys.executable, "-m", "pip", "install", "--quiet",
            "weasyprint", "markdown", "Pygments"
        ])
Confidence
97% confidence
Finding
subprocess.check_call([ sys.executable, "-m", "pip", "install", "--quiet", "weasyprint", "markdown", "Pygments" ])

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation demonstrates file-read and shell execution behavior, but the manifest does not clearly declare corresponding permissions/capabilities. This weakens policy enforcement and user awareness, making it easier for the skill to perform sensitive actions without appropriate review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior exceeds the stated purpose by including dependency installation and external tool invocation, while also misrepresenting supported backends and options. Description-behavior mismatch is dangerous because reviewers may approve the skill for low-risk document conversion without realizing it can install software and invoke additional binaries.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The manifest claims no network is required, yet the documentation advertises support for remote images during conversion. This inconsistency can conceal outbound requests, creating SSRF, privacy leakage, and policy bypass risks when untrusted markdown references external resources.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Allowing remote resource fetching is not justified by the stated local markdown-to-PDF use case and expands the attack surface unnecessarily. When processing untrusted markdown, external image or asset retrieval can trigger network egress, metadata leakage, or access to internal services depending on the renderer.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill exceeds its declared document-conversion scope by auto-installing Python packages during execution. This broadens the trust boundary from local file conversion to environment modification and remote package retrieval, increasing the attack surface and creating persistence or supply-chain risk on the host.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Executing pip install from within the skill alters the host environment in a way not necessary for ordinary markdown-to-PDF conversion. Because package installation runs setup/build logic and pulls code from external repositories, this can be abused for supply-chain compromise or unintended code execution with the privileges of the agent process.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code performs automatic package installation without explicit approval from the operator. In a security-sensitive agent context, silently changing the environment and downloading executable dependencies is unsafe because it can surprise administrators, bypass change control, and expose the system to package-source tampering.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal