ClawHub
Back to skill

Security audit

Binary To From File Converter

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed AgentPMT converter for base64, hex, binary, and temporary cloud file workflows, with privacy caution for file contents and signed links.

Install this only if you want AgentPMT-hosted conversion and temporary cloud file storage. Avoid sending secrets, regulated data, or private documents unless you explicitly intend remote processing, and treat returned signed URLs as shareable temporary download links.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes remote file conversion and cloud storage behavior, but it does not prominently warn near the top-level description that file contents are transmitted to a third-party remote service and that generated files are exposed through signed URLs. This can lead agents or users to send sensitive documents, attachments, or binaries off-platform without informed consent, creating confidentiality and data handling risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The `base64_to_file` action explicitly stores decoded data in cloud storage and returns a signed download URL, but the schema does not warn users that provided content will leave the immediate agent context and become externally retrievable. This can lead to unintended disclosure of sensitive decoded attachments, documents, or secrets, especially in multi-agent or automated workflows where users may assume conversion is purely local/transient.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal