ClawHub

Pub Pdf

Security checks across malware telemetry and agentic risk

Overview

This looks like a PDF skill, but it grants a broad external AI gateway with email, SMS, OTP, scraping, and media-generation powers that need review before use.

Install only if you intentionally want a broad SkillBoss API gateway, not just PDF tooling. Use a limited API key with spending controls, avoid sensitive documents unless external processing is acceptable, and require explicit user approval before any email, SMS, OTP, batch messaging, scraping, or document-upload action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill is presented as a PDF manipulation toolkit, but the file actually exposes a broad remote AI/API broker with many unrelated capabilities. This mismatch undermines informed consent and can cause users or higher-level agents to invoke external services, send data off-platform, or access risky capabilities they did not intend to enable under a narrowly scoped PDF skill.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Email sending and SMS/OTP workflows are high-side-effect capabilities that are unrelated to a PDF toolkit and can trigger real-world external actions. In a mislabeled skill, these features increase the risk of unauthorized messaging, spam, phishing support, account verification abuse, and accidental transmission of sensitive user data to third parties.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill includes general chat, image/video generation, audio processing, and web search functions that are materially unrelated to the stated PDF purpose. This scope creep makes the skill more dangerous because a caller expecting local document tooling may instead route arbitrary prompts, documents, audio, or URLs to external AI providers without clear expectation or review.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The file documents broad web search, scraping, and executive-interview retrieval capabilities that materially exceed a skill presented primarily as a PDF toolkit. This mismatch increases the risk of hidden data-collection, reconnaissance, and unintended external-network actions by downstream agents or users who may grant trust based on the PDF-focused branding.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Web scraping and external search are context-inappropriate for a skill named and described as a PDF tool, so they create a deceptive capability surface and increase the chance that operators enable the skill without understanding its networked data-access behavior. In a PDF-focused context, these features are more dangerous because they are unexpected and can be abused for silent collection of external content or PII-rich profile data such as LinkedIn and CEO interview material.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The model catalog exposes capabilities far beyond the skill's stated PDF-focused purpose, including email, SMS/OTP, embeddings, and presentation generation. This expands the attack surface and enables unrelated outbound communication or data-processing actions that could be abused for spam, phishing, data exfiltration, or unauthorized workflow execution under the guise of a PDF tool.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Email sending is not justified by the declared PDF-toolkit purpose, so its inclusion creates an unnecessary and potentially dangerous outbound channel. An attacker or compromised workflow could leverage this capability to send phishing emails, distribute sensitive extracted document content, or abuse the environment for spam without users expecting email functionality from this skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
SMS and OTP verification capabilities are especially sensitive and unrelated to PDF manipulation, making their presence a serious scope violation. These tools could be abused for unauthorized messaging, social engineering, account-verification abuse, or fraud workflows, and the OTP functions increase the risk because they can participate in identity or authentication-related actions users would not expect from a PDF skill.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Presentation generation materially exceeds the advertised PDF-toolkit scope and indicates capability creep. While less immediately dangerous than email or SMS, it still broadens what an attacker can do with the skill, may mislead users about the skill's true permissions, and can be combined with document extraction to transform sensitive content into new artifacts outside the intended workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented email-send operation can transmit content to real recipients, yet the skill provides no warning about external delivery, consent, or irreversible side effects. That omission increases the risk of accidental data leakage, unwanted outbound communication, and social-engineering misuse by downstream agents or users.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The SMS verification examples can send OTPs to real phone numbers and verify codes, but the skill provides no caution about real-world messaging side effects, abuse risk, or costs. In a mislabeled PDF skill, this is especially risky because callers may not anticipate that the capability can contact external phone numbers or support verification workflows.

External Transmission

Medium
Category
Data Exfiltration
Content
## Email

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
90% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "model": "email/send", "inputs": {"to": "us

External Transmission

Medium
Category
Data Exfiltration
Content
## Email

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
90% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Send OTP:

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
91% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Verify OTP:

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
88% confidence
Finding
https://api.heybossai.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal