ClawHub

LaTeX Writer

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward LaTeX/PDF generator; its main risk is the expected local TeX compilation of documents or templates users provide.

Install this if you want help generating LaTeX documents and PDFs. Before compiling, review generated .tex content when the source is important or sensitive, use only trusted .cls/.sty templates, and keep your TeX distribution up to date. Avoid compiling LaTeX received from untrusted sources unless you run it in a sandbox.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises capabilities that imply reading/writing files and invoking a shell for PDF compilation, but it declares no permissions or safety boundaries. In a LaTeX workflow, custom templates and compilation are especially sensitive because TeX engines and build steps can touch the local filesystem, spawn helper tools, or process attacker-controlled content, increasing the risk of unintended file access or command execution paths.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger conditions are broad enough that the skill may activate for general requests about writing, PDFs, or formatting without the user intending local compilation or template handling. That increases the chance the agent performs file or build actions in the wrong context, especially given the skill's implied shell and filesystem capabilities.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The description promotes auto-compilation and custom template import without warning users that these actions can modify local files, create build artifacts, and execute external compilation tools. In this skill context that omission is more dangerous than usual because LaTeX compilation commonly invokes multiple tools and processes untrusted document/template content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal