ClawHub

formatferry-markdown

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed document-to-Markdown converter with optional network and credential-backed features, but no evidence of hidden, destructive, or unrelated behavior.

Install only if you are comfortable using the FormatFerry CLI. Use local file or stdin conversion for private documents, avoid --url for sensitive or internal links unless server-side processing is acceptable, and prefer environment variables or temporary credentials until the CLI documents how stored API and license keys are protected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill markets itself as local-first and emphasizes that local file content never leaves the machine, but it also documents a `--url` mode that sends content to a server and relies on an external CLI whose actual behavior is not verified by the wrapper. This creates a trust-boundary and transparency problem: users or downstream agents may assume stronger privacy guarantees than the implementation can enforce, leading to unintended disclosure or policy violations.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The README claims the tool is 'local-first' and that file content never leaves the machine, but it also advertises a URL extraction mode gated by an API key. That inconsistency can mislead users about network behavior and data handling, causing them to use the skill in environments where outbound requests or third-party processing are prohibited.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script exposes a --url input path even though the skill is described as local-first and emphasizes that local file content never leaves the machine. Allowing remote URL fetching expands the trust boundary and can lead to unexpected network access, privacy issues, or SSRF-style access if the underlying formatferry tool fetches arbitrary URLs in sensitive environments.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Network-oriented input is not inherently unsafe, but in this skill it contradicts the stated local-only positioning and introduces a capability that can be abused to access attacker-controlled remote content. In automation or agent contexts, this can trigger unintended outbound requests and processing of untrusted remote documents, increasing exposure to SSRF, tracking, or parser exploit chains in the external converter.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation advertises fetching content from external URLs but does not warn users that invoking this option sends network requests and may expose browsing targets, IP address, metadata, or retrieved content to external services. In a tool marketed as local-first, that omission can mislead privacy-sensitive users into using a networked feature without informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The auth section tells users to set and persist API and license keys without explaining whether they are stored in plaintext, in config files, or in a secure OS keystore. That omission creates credential-handling risk because users may unknowingly place sensitive secrets on disk in insecure locations or fail to manage them safely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal