ClawHub

PDF Catalog

Security checks across malware telemetry and agentic risk

Overview

The skill appears to support PDF-to-output and Excel automation, but it under-discloses when files or workbooks may be changed.

Review this skill carefully before installing. Use copies of PDFs and spreadsheets, choose a dedicated output directory, and avoid pointing it at production workbooks unless you are comfortable with possible in-place edits or overwritten outputs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation describes capabilities to read PDFs, write generated outputs, invoke shell tools like pdftotext/pdftoppm, and modify Excel files, but it does not declare corresponding permissions or warn users about those operations. This creates a transparency and consent problem: an agent may perform filesystem and subprocess actions that users did not explicitly authorize, increasing the chance of unintended data access or modification.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill states it will generate output files and automatically fill Excel data, but it does not warn that existing files in the output directory or target workbook may be modified or overwritten. In practice this can lead to silent corruption or loss of user data, especially when pointed at shared directories or production spreadsheets.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The command examples show an --excel-path argument but do not tell the user that the referenced workbook will be altered during processing. That omission undermines informed consent and makes accidental modification of important spreadsheets more likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal