Table To Image
Security checks across malware telemetry and agentic risk
Overview
The skill does what it claims, but its helper script builds a shell command from unvalidated arguments, which could let a crafted request run unexpected local commands.
Use caution before installing. The skill is simple and purpose-aligned, but it should be fixed to safely invoke wkhtmltoimage before allowing custom widths or output filenames from prompts or copied content.
VirusTotal
1/66 vendors flagged this skill as malicious, and 65/66 flagged it as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted width or output filename could cause the local machine to run unintended commands under the user's account.
The script takes command-line arguments for the output file and width, then interpolates them directly into a shell command. If either value contains shell metacharacters and reaches this helper, the shell could execute commands beyond table-to-image conversion.
const outputFile = args[1]; const width = args[2] || '900'; ... execSync(`wkhtmltoimage --quality 100 --width ${width} ${tempFile} ${outputFile}`, {Replace execSync with execFileSync or spawn using an argument array, validate width as a number, and restrict output paths to a safe agent-controlled temporary location.