ClawHub

chat2workflow

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed workflow-design assistant with optional local conversion utilities; it can generate workflows containing code or HTTP nodes, so users should review generated workflows before running them.

Install only if you want a workflow generator for Dify or Coze. Treat generated workflows as active automation: review any code, HTTP-request, search, file, or credential-related nodes before importing or running them, and avoid placing real API keys or passwords into generated JSON. Run the optional converter scripts only when you intentionally want local YAML or ZIP export.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (9)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file implements broad filesystem write behavior: it creates output directories, writes YAML files, copies and rewrites a manifest, and produces ZIP archives. That directly conflicts with the stated skill behavior of being design-only and text-output-only, which makes the capability materially more dangerous because it expands the trust boundary from pure text generation to local file packaging. In a skill whose advertised purpose is only to emit workflow JSON as text, hidden or undocumented file-generation capability can be abused to write untrusted artifacts to disk and mislead users or hosting platforms about what the skill actually does.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The Coze conversion path builds a staging directory, copies local files, modifies MANIFEST content, and emits a distributable ZIP package. For a skill described as only producing text and never running scripts, this packaging capability is unnecessary and high risk because it enables local artifact creation and repackaging of bundled content, which can be leveraged to smuggle misleading or unsafe deliverables under the guise of a harmless design assistant. The mismatch between declared behavior and implemented capability increases the likelihood that reviewers or users will under-assess the risk.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This code explicitly stores transformed Python source in `self.parameters["code"]` for a `Code` node whose description is `Code execution`, which contradicts the stated design-only, text-only purpose of the skill. Even if this file only builds JSON/text, it is packaging executable logic for downstream execution on Coze, so an attacker could smuggle arbitrary code into generated workflows and cause code execution when the workflow is later imported or run.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The file provides end-to-end support for transforming user-supplied code signatures and embedding the resulting code plus inputs/outputs into a platform `code` node, enabling creation of executable workflow components. In the context of a skill advertised as only producing structured text and never running scripts, this hidden capability materially increases risk because users or downstream systems may trust the output as inert design data when it actually contains executable payloads.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
This file defines a workflow node that emits an executable HTTP Request step, enabling outbound network access in the generated workflow. That conflicts with the stated design-only scope and creates a capability for SSRF, data exfiltration, or interaction with internal services once a generated workflow is imported and run on Dify/Coze.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Including an HTTP request capability in a supposedly design-only workflow generator broadens the attack surface beyond passive JSON drafting. Even though this code does not itself execute requests, it packages a node that will cause real outbound calls when the produced workflow is later deployed, which is dangerous in this skill context because users may trust the manifest and underestimate the operational risk.

Unpinned Dependencies

Low
Category
Supply Chain
Content
PyYAML>=6.0
json_repair>=0.30.0
Confidence
97% confidence
Finding
PyYAML>=6.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
PyYAML>=6.0
json_repair>=0.30.0
Confidence
96% confidence
Finding
json_repair>=0.30.0

Known Vulnerable Dependency: PyYAML — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
90% confidence
Finding
PyYAML

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal