ClawHub

AI-Tender

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its bid-document parsing purpose, but it automatically starts a LAN-accessible background preview server that can expose generated reports and local skill files, so it needs careful review.

Install only if you are comfortable sending tender documents to your configured LLM provider and can run the tool in a restricted environment. Do not use it on confidential bids without disabling or containing the HTTP preview server, binding preview to localhost only, and protecting env_config.md/API keys from LAN exposure. Pin and review dependencies before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (20)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
kwargs["creationflags"] = subprocess.DETACHED_PROCESS | subprocess.CREATE_NEW_PROCESS_GROUP
    else:
        kwargs["start_new_session"] = True
    proc = subprocess.Popen(cmd, **kwargs)
    ip = _get_local_ip()
    base_url = f"http://{ip}:{port}"
    return proc, base_url
Confidence
95% confidence
Finding
proc = subprocess.Popen(cmd, **kwargs)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill claims to parse bid documents, but its instructions also require generating promotional PDF output, embedding marketing content, fetching remote images, optionally serving files over a local HTTP server, and supporting URL-based remote file retrieval. These extra behaviors expand the attack surface beyond the user-expected document parsing workflow and can expose sensitive bid data, enable SSRF-like remote fetching, or unintentionally share generated outputs over the local network.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script starts a local HTTP server bound to all interfaces and exposes the generated PDF over the network, which is unnecessary for the stated purpose of parsing bid documents. In a tender-processing context, outputs may contain confidential procurement information, so LAN exposure materially increases the risk of unauthorized access.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The function accepts arbitrary http/https URLs and downloads their contents, expanding the skill into a generic network retriever rather than a local tender parser. This broadens attack surface, can fetch untrusted or oversized content, and may be abused to pull documents from attacker-controlled sources for downstream processing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to configure an external OpenAI-compatible LLM endpoint to process tender documents, but does not warn that document contents may be transmitted to a third-party service. Tender files commonly contain confidential commercial, technical, pricing, or personal data, so silent remote transmission creates a real data exposure and compliance risk.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill uploads bid documents to an external LLM file-extraction API without an explicit user-facing warning or consent flow. Tender documents often contain confidential commercial, technical, and pricing information, so silent external transmission can create serious data leakage and compliance risks.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script exposes a generated PDF via a background HTTP server bound to all interfaces without a clear warning that other devices on the local network may access it. Given the business context, the PDF may contain extracted tender requirements or sensitive project details, making silent network exposure especially risky.

Ssd 1

High
Confidence
99% confidence
Finding
The code places untrusted document content into a system-role message, granting document text the highest instruction priority in the prompt. A maliciously crafted tender document can inject adversarial instructions that override the intended extraction task, causing data manipulation, unsafe behavior, or misleading outputs.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 招标文件解析工具依赖

# PDF 处理
pypdf>=3.0.0

# LLM API 调用
openai>=1.0.0
Confidence
88% confidence
Finding
pypdf>=3.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pypdf>=3.0.0

# LLM API 调用
openai>=1.0.0

# 其他工具
python-dotenv>=1.0.0
Confidence
83% confidence
Finding
openai>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.0.0

# 其他工具
python-dotenv>=1.0.0

# 结果导出与预�?pandas>=2.0.0
openpyxl>=3.1.0
Confidence
86% confidence
Finding
python-dotenv>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-dotenv>=1.0.0

# 结果导出与预�?pandas>=2.0.0
openpyxl>=3.1.0
weasyprint>=60.0
reportlab>=4.0.0
qrcode>=7.4
Confidence
90% confidence
Finding
openpyxl>=3.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 结果导出与预�?pandas>=2.0.0
openpyxl>=3.1.0
weasyprint>=60.0
reportlab>=4.0.0
qrcode>=7.4
Confidence
91% confidence
Finding
weasyprint>=60.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 结果导出与预�?pandas>=2.0.0
openpyxl>=3.1.0
weasyprint>=60.0
reportlab>=4.0.0
qrcode>=7.4
Confidence
96% confidence
Finding
reportlab>=4.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openpyxl>=3.1.0
weasyprint>=60.0
reportlab>=4.0.0
qrcode>=7.4
Confidence
80% confidence
Finding
qrcode>=7.4

Known Vulnerable Dependency: pypdf — 10 advisory(ies): CVE-2026-24688 (pypdf has possible Infinite Loop when processing outlines/bookmarks); CVE-2026-27628 (pypdf has a possible infinite loop when loading circular /Prev entries in cross-); CVE-2026-40260 (pypdf: Manipulated XMP metadata entity declarations can exhaust RAM) +7 more

Low
Category
Supply Chain
Confidence
95% confidence
Finding
pypdf

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
72% confidence
Finding
python-dotenv

Known Vulnerable Dependency: openpyxl — 2 advisory(ies): CVE-2017-5992 (Improper Restriction of XML External Entity Reference in Openpyxl); CVE-2017-5992 (Openpyxl 2.4.1 resolves external entities by default, which allows remote attack)

High
Category
Supply Chain
Confidence
93% confidence
Finding
openpyxl

Known Vulnerable Dependency: weasyprint — 2 advisory(ies): CVE-2024-28184 (WeasyPrint allows the attachment of arbitrary files and URLs to a PDF); CVE-2025-68616 (WeasyPrint has a Server-Side Request Forgery (SSRF) Protection Bypass via HTTP R)

High
Category
Supply Chain
Confidence
96% confidence
Finding
weasyprint

Known Vulnerable Dependency: reportlab — 6 advisory(ies): CVE-2023-33733 (Reportlab vulnerable to remote code execution); CVE-2020-28463 (Server-side Request Forgery (SSRF) via img tags in reportlab); CVE-2019-19450 (ReportLab vulnerable to remote code execution via paraparser) +3 more

Critical
Category
Supply Chain
Confidence
98% confidence
Finding
reportlab

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal