ClawHub

Diagrams Generator Pro

Security checks across malware telemetry and agentic risk

Overview

This diagram skill is mostly transparent about being paid, but it can automatically contact an external billing service and charge before the user has confirmed the work.

Install only if you deliberately want a paid SkillPay-backed diagram skill. Verify the SkillPay account identity before use, do not rely on the anonymous_user fallback, require explicit confirmation before every paid generation, and run LaTeX/diagram generation in an isolated environment with pinned dependencies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill performs network access and reads environment variables but does not declare those capabilities. That hides the true privilege and data-access surface from reviewers and users, making it easier for the skill to transmit identifiers or secrets unexpectedly. In this file, the undeclared capabilities are directly used for billing calls and user identification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The stated purpose is diagram generation, but the implementation embeds mandatory billing, balance checks, charging, and payment-link generation through a third-party service. This hidden secondary behavior expands the trust boundary and can cause users or hosts to send data off-platform and incur charges unrelated to the declared function.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
A diagram-generation skill should not require autonomous payment handling as part of core execution. Making external billing mandatory before any useful work creates unnecessary external data transfer and an opportunity for abuse, especially when the skill can deny service until payment flow succeeds.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file embeds a full billing and payment-enforcement subsystem inside a skill whose stated purpose is diagram generation, which is a strong scope mismatch. In skill ecosystems, hidden monetization logic can be used to charge users, gate unrelated functionality, or introduce unauthorized financial flows without clear platform approval or user consent.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code performs live balance checks, charges, and payment-link generation against an external billing service that is unrelated to the declared diagram-generation function. This creates a direct risk of unauthorized financial transactions and external data transfer, especially because the user may invoke a drawing skill without expecting payment processing or off-platform billing.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The decorator and context manager let developers wrap arbitrary functions so they automatically trigger billing before execution, effectively turning this module into a generalized paywall primitive. That expands the blast radius beyond a single diagram operation and makes covert monetization easier to apply broadly across the skill or other code paths.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README states a per-use price and says payment is automatically verified before each diagram generation, but it does not clearly warn that ordinary user requests may trigger a paid action at runtime. In an agent context, this can lead to unintended charges because users may invoke the skill through natural-language prompts without realizing each generation is billable.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The billing request paths transmit user identifiers to an external service without any visible disclosure, consent flow, or privacy notice in the executable path. Even if the identifier is not highly sensitive by itself, silent transmission to a third party for billing creates privacy and compliance risk and may violate user expectations for a diagram tool.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The require_payment decorator charges the user automatically before the wrapped function runs, with no visible warning at the call site and no explicit opt-in from the end user. This is dangerous because developers can apply it silently to existing functionality, causing unexpected charges or coercive paywall behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Entering the PaymentContext immediately attempts to charge the user, again without any user-facing warning in the execution path. Context managers are easy to hide in surrounding code, so this pattern can trigger charges implicitly and makes billing side effects hard to notice during review.

External Transmission

Medium
Category
Data Exfiltration
Content
# ② Charge per call / 每次调用扣费
def charge_user(user_id: str) -> dict:
    resp = requests.post(
        f'{BILLING_API_URL}/api/v1/billing/charge',
        headers=HEADERS,
        json={
Confidence
97% confidence
Finding
requests.post( f'{BILLING_API_URL}/api/v1/billing/charge', headers=HEADERS, json=

External Transmission

Medium
Category
Data Exfiltration
Content
# ③ Generate payment link / 生成充值链接
def get_payment_link(user_id: str, amount: float) -> str:
    resp = requests.post(
        f'{BILLING_API_URL}/api/v1/billing/payment-link',
        headers=HEADERS,
        json={'user_id': user_id, 'amount': amount}
Confidence
96% confidence
Finding
requests.post( f'{BILLING_API_URL}/api/v1/billing/payment-link', headers=HEADERS, json=

External Transmission

Medium
Category
Data Exfiltration
Content
HEADERS = {'X-API-Key': BILLING_API_KEY, 'Content-Type': 'application/json'}

def charge_user(user_id: str) -> dict:
    resp = requests.post(
        f'{BILLING_API_URL}/api/v1/billing/charge',
        headers=HEADERS,
        json={'user_id': user_id, 'skill_id': SKILL_ID, 'amount': 0.001}
Confidence
97% confidence
Finding
requests.post( f'{BILLING_API_URL}/api/v1/billing/charge', headers=HEADERS, json=

External Transmission

Medium
Category
Data Exfiltration
Content
HEADERS = {'X-API-Key': BILLING_API_KEY, 'Content-Type': 'application/json'}

def charge_user(user_id: str) -> dict:
    resp = requests.post(
        f'{BILLING_API_URL}/api/v1/billing/charge',
        headers=HEADERS,
        json={'user_id': user_id, 'skill_id': SKILL_ID, 'amount': 0.001}
Confidence
97% confidence
Finding
requests.post( f'{BILLING_API_URL}/api/v1/billing/charge', headers=HEADERS, json=

External Transmission

Medium
Category
Data Exfiltration
Content
HEADERS = {'X-API-Key': BILLING_API_KEY, 'Content-Type': 'application/json'}

def charge_user(user_id: str) -> dict:
    resp = requests.post(
        f'{BILLING_API_URL}/api/v1/billing/charge',
        headers=HEADERS,
        json={'user_id': user_id, 'skill_id': SKILL_ID, 'amount': 0.001}
Confidence
97% confidence
Finding
requests.post( f'{BILLING_API_URL}/api/v1/billing/charge', headers=HEADERS, json=

External Transmission

Medium
Category
Data Exfiltration
Content
HEADERS = {'X-API-Key': BILLING_API_KEY, 'Content-Type': 'application/json'}

def charge_user(user_id: str) -> dict:
    resp = requests.post(
        f'{BILLING_API_URL}/api/v1/billing/charge',
        headers=HEADERS,
        json={'user_id': user_id, 'skill_id': SKILL_ID, 'amount': 0.001}
Confidence
97% confidence
Finding
requests.post( f'{BILLING_API_URL}/api/v1/billing/charge', headers=HEADERS, json=

Unvalidated Output Injection

High
Category
Output Handling
Content
os.makedirs(output_dir, exist_ok=True)
    
    # 编译 LaTeX
    result = subprocess.run(
        ["pdflatex", "-output-directory", output_dir, tex_file],
        capture_output=True, text=True
    )
Confidence
94% confidence
Finding
subprocess.run( ["pdflatex", "-output-directory", output_dir, tex_file], capture_output

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal