ClawHub

Tldraw Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent diagram skill, but it silently self-updates from Git and may install a global npm tool without asking first.

Install only if you are comfortable with automatic skill updates and a global npm CLI dependency. Safer use would disable or remove the silent git pull step, install tldraw-cli manually from a trusted source, and avoid vision self-checks for confidential architecture or business diagrams.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to run a silent `git pull` on its own skill directory before use, which changes executable behavior from remote content without user awareness or approval. Even with `--ff-only`, this is still an unreviewed code/content update path that can introduce malicious or broken instructions into future runs and violates the principle of least astonishment for a local diagram-generation skill.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The README states the skill 'triggers automatically when diagrams would help explain complex systems,' which is a broad activation condition that can cause the skill to run without an explicit user request. In an agent context, over-broad triggers increase the chance of unintended tool execution, file creation, network access, or other side effects when a simple text response would have sufficed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises an automatic update mechanism that runs 'a single git pull --ff-only' once per 24 hours on first use. Even if framed as non-blocking, this means the local skill installation may be modified implicitly, introducing unreviewed code changes from a remote repository into the agent's execution path.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The README says users can request 'any output path' and that the skill will 'mkdir -p' and export there, which enables arbitrary directory creation and writes under agent control. In an automated environment, this can lead to overwriting files, polluting sensitive directories, or writing artifacts into locations later consumed by other tools or processes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
文档宣称支持任意输出路径并自动创建目录,但没有显著提示这会写入本地文件系统。若代理按说明运行,攻击者可通过诱导性提示将输出写入敏感位置、污染工作区,或造成意外文件覆盖/持久化产物。

Missing User Warnings

Medium
Confidence
96% confidence
Finding
README 说明技能会每 24 小时自动执行一次 `git pull --ff-only` 检查更新,但未将其作为高风险行为突出告知。自动从远程仓库同步并修改安装目录意味着供应链与远程内容变更会在会话中被引入,可能导致未审查代码/指令进入本地环境。

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Silently updating the skill via `git pull` without disclosure or consent is a supply-chain risk and a trust-boundary violation. The danger is amplified because the update is hidden from the user and happens automatically based on a timestamp check, making remote changes execute under local agent privileges without review.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill tells the agent to automatically run `npm install -g @kitschpatrol/tldraw-cli` if the binary is missing, causing network-based code installation and modification of the user's environment without clear prior consent. This creates supply-chain exposure and can have broad system effects because global npm installs execute package lifecycle scripts and alter PATH-available tooling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal