ClawHub

Visual Explainer

Security checks across malware telemetry and agentic risk

Overview

The skill is a legitimate visual-report generator, but it grants broad code/session access and includes side effects that users should review before installing.

Install only if you are comfortable with an agent reading substantial repository context and sometimes session/progress notes to build reports. Treat generated HTML as potentially sensitive, avoid public/ngrok sharing unless sanitized, review before allowing surf/Gemini image generation, and be careful with the server cleanup scripts and the fact-check command because they can affect local processes or edit files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (53)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation explicitly recommends using ngrok to create a public URL for locally served HTML reports, which expands exposure from local-only access to internet-accessible sharing. Because the skill's purpose is generating self-contained visual explanations rather than securely publishing content, this guidance can lead users to unintentionally expose sensitive architecture diagrams, code-change summaries, or internal data without authentication or access controls.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The command explicitly instructs users to host generated reports over HTTP and even provides a LAN-accessible IP address, which extends the skill from local visualization into network serving. Because these reports may contain sensitive architecture, code-change, or project data, exposing them on the network without access controls meaningfully increases disclosure risk beyond the skill's core purpose.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The prompt explicitly instructs the agent to mine prior conversation context and read project progress files from home-directory memory stores, which goes beyond the user-facing purpose of producing a diff visualization. That creates unnecessary access to potentially sensitive session history, notes, or unrelated project context, and can cause private data to be incorporated into the generated HTML review or exposed to downstream tools.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Invoking `surf gemini --generate-image` introduces an external content-generation capability unrelated to the minimum requirements for reviewing code diffs. This can transmit repository-derived prompts or sensitive change context to an external service and expands the attack surface without a clear necessity for the skill's core function.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The prompt repurposes a visual-explainer skill into a codebase fact-checker with authority to inspect repository contents and git history. This is a scope expansion beyond the declared skill purpose, which increases the chance of unintended data access and misuse because callers may invoke the skill expecting only presentation generation, not broad repository auditing.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The instructions authorize broad verification against source and git history, including re-running git commands and comparing historical versions. In a skill advertised as producing visual explanations, this creates hidden high-privilege inspection behavior that can expose repository metadata, historical content, or unrelated files beyond what a user reasonably expects.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The prompt instructs direct in-place edits to arbitrary HTML, markdown, or text documents, including rewriting sections when deemed fundamentally wrong. Hidden write capability is dangerous because it can alter user content destructively, overwrite important files, or be abused to tamper with documentation under the guise of visualization support.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The prompt instructs the agent to invoke an external CLI (`surf gemini --generate-image`) based on environmental availability, which expands the skill from HTML generation into tool execution and networked/image-generation behavior. This is dangerous because it can trigger unreviewed side effects, unexpected data egress to third-party services, or execution of a local binary outside the skill's stated scope.

Description-Behavior Mismatch

Low
Confidence
92% confidence
Finding
The skill directs the agent to open the generated result in a browser, which goes beyond content generation into local side-effectful execution. Even if the browser action seems minor, it can surprise users, trigger local application launches, and create unintended exposure of generated content or URLs without explicit approval.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The prompt expands the skill from generating self-contained HTML into optionally invoking an external AI image-generation CLI. That introduces a new capability with different trust, privacy, and execution boundaries, including possible network transmission of user content and dependence on a local tool not clearly required for the skill’s core purpose.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The prompt authorizes invoking an external `surf gemini --generate-image` CLI and embedding its output, which expands the skill from HTML generation into external tool execution and model-backed content generation. This creates unnecessary attack surface: the CLI may transmit repository or plan-derived content off-host, execute untrusted dependencies, or produce unreviewed output without explicit user consent.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The instruction to write artifacts to `~/.agent/diagrams/` and open them in a browser exceeds a pure content-generation skill and causes side effects on the user's system. Unprompted file creation plus browser launch can leak sensitive plan/code details into persistent storage, expose them to browser extensions/history, and violate least astonishment for a review-oriented skill.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The prompt explicitly instructs the agent to mine conversation history for decision context, which expands data access beyond the skill's stated role of generating visual HTML recaps from project artifacts. Conversation history can contain unrelated secrets, credentials, or sensitive user context, so this creates an unnecessary data-exposure path and violates least-privilege expectations.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Invoking an external `surf` CLI to generate a hero image introduces additional tool execution and outbound processing not required for producing a project recap HTML page. Even if optional, it broadens the attack surface, may transmit project context to another tool or service, and can create side effects beyond the user's expected scope.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The prompt directs the agent to write files into a persistent user directory and open them in a browser, which goes beyond mere content generation and causes side effects on the host. This is risky because it creates persistent artifacts and triggers execution-like behavior in a browser without explicit user confirmation, potentially exposing sensitive recap contents or normalizing unsafe autonomous actions.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file instructs the agent to proactively invoke external tooling (`which surf`, `surf`, `base64`, `rm`) and generate images before writing HTML, which expands the skill from HTML generation into local command execution and external model interaction. In an agent environment, this increases attack surface, can trigger unintended subprocesses or networked content generation, and violates least-privilege for a presentation-formatting skill.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This instruction explicitly tells the agent to run subprocess-style shell commands as part of normal deck generation, even though the skill's stated purpose is visual explanation in self-contained HTML. Embedding operational shell steps in content guidance can cause agents to cross trust boundaries, execute local commands unnecessarily, and mishandle files or environment state.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script indiscriminately finds and kills whatever process is bound to ports 8080-8089, without verifying that the process belongs to this skill or was started by it. In a skill whose stated purpose is generating visual HTML explanations, process-termination logic is unnecessary and mismatched, so it creates avoidable risk of disrupting unrelated local services or developer workflows.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This file contains destructive behavior—deleting a local state file and terminating processes—that does not align with the declared visual-explainer functionality. Capability drift of this kind is dangerous because users and reviewers would not expect a visualization skill to modify local runtime state or stop services, increasing the chance of unnoticed harmful side effects.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The fallback logic enumerates any process listening on ports 8080-8089 and sends kill signals without verifying ownership, executable name, or whether the process belongs to this skill. This can terminate unrelated local services such as development servers, dashboards, proxies, or other agents, causing denial of service and potentially disrupting user workflows or other applications.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script documentation claims it targets a Python HTTP server, but the implementation actually kills any listener on ports 8080-8089. That mismatch increases operational risk because users or maintainers may trust the script as narrowly scoped when it is not, leading to accidental termination of unrelated services.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The comment says the fallback targets 'any Python HTTP server,' but the code does not perform a Python or HTTP-specific check and instead kills arbitrary listeners on common ports. This misleading documentation can conceal the true scope of the action and make unsafe behavior more likely to be reused or approved during review.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The template claims to generate self-contained HTML, but it pulls fonts from Google-hosted infrastructure. This introduces privacy, availability, and supply-chain risk because rendering depends on third-party network access and external content integrity, which is especially relevant for a reusable agent skill that may be used in sensitive or offline contexts.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The page imports Mermaid and ELK directly from public CDNs despite the skill description promising self-contained HTML pages. That creates a supply-chain and integrity risk: code execution in the browser depends on mutable third-party resources, and the page may fail or behave unexpectedly in restricted environments.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The template claims to generate self-contained HTML but loads Google Fonts and other third-party resources at runtime, which breaks that guarantee and causes outbound network access when the file is opened. This creates privacy, availability, and supply-chain risk because rendering now depends on remote servers and the integrity of externally hosted assets.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal