ClawHub

Image Breaker

Security checks across malware telemetry and agentic risk

Overview

This skill openly turns user-provided documents into persistent Markdown notes and Obsidian entries, with configuration and privacy caveats but no evidence of deception or harmful behavior.

Install only if you want shared documents, screenshots, or PDFs saved as Markdown and copied into an Obsidian workflow. Before using it, change the hardcoded Obsidian vault path, review the separate obsidian-sync helper, and avoid processing confidential or medical material unless you are comfortable with it being persisted and reviewed before acting on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises document processing but includes file-write and shell-execution behavior without declaring permissions or clearly constraining their use. Hidden write/exec capability expands the attack surface because extracted content can be silently persisted locally and a subprocess can be launched in the user's environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The documented behavior materially exceeds the stated purpose by invoking a separate sync script and using a hardcoded local Obsidian vault path, while the extraction logic itself is only described at a placeholder level. This mismatch is dangerous because users may trust the skill as a simple extractor when it actually performs local persistence and externalized syncing actions on potentially sensitive content.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs execution of an external Python script via shell-style invocation, which introduces subprocess capability beyond note creation. Any external script execution increases risk because it can perform arbitrary filesystem or network actions, and here it operates on user-derived content and local paths.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that notes are saved locally and synced to Obsidian but does not warn users that extracted document contents may be written to disk and copied into another location. This is especially risky for PDFs, screenshots, and documents that may contain sensitive personal, medical, business, or proprietary information.

Missing User Warnings

High
Confidence
97% confidence
Finding
The workflow explicitly directs automatic file creation and Obsidian sync for extracted content without any sensitivity checks, consent gate, or warning. In context, this skill handles arbitrary web pages, PDFs, images, and pasted text, so it can easily persist confidential data to local storage and replicate it into a synced note repository.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Best-practice guidance that mandates auto-sync by default normalizes data exfiltration from the immediate processing context into a secondary store without informed consent. Because this skill is designed for document ingestion, the default behavior increases the likelihood of unintentionally propagating sensitive extracted content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The medical/lab and protocol templates explicitly structure outputs around interpretation, action items, dosing, monitoring, and expected outcomes, which can make generated notes read like personalized clinical guidance. In the context of a skill that extracts user-provided PDFs, screenshots, and documents into organized notes, this increases the chance that unverified or decontextualized health content is reformatted into authoritative-seeming advice without any warning to obtain qualified professional review.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal