ClawHub
Back to skill

Security audit

PDF to Word Converter

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local document-conversion skill; it downloads vendor license/model files and keeps a local trial counter, but I found no hidden data theft, destructive behavior, or deceptive execution.

Install only if you are comfortable with a proprietary ComPDF SDK workflow that may download a roughly 525 MB model and a license file from ComPDF on first use, store them locally, and keep a local trial conversion count. For offline or sensitive environments, pre-provision the model and license files and review the vendor package and license terms first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill declares no required permissions, yet its documented behavior includes reading environment variables, reading and writing local files, and making outbound network requests to download a license and AI model. This is dangerous because users and calling agents cannot accurately assess the trust boundary or consent to those capabilities before execution, increasing the chance of unintended file modification or network egress.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The manifest presents the skill as a PDF-to-Word/DOCX converter, but the documentation reveals substantially broader behavior: additional output formats, image ingestion with OCR, remote downloads, and local trial-usage tracking. This mismatch is dangerous because agents or users may invoke it under a narrower trust assumption while it performs network activity and persistent local state changes outside the advertised scope.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is branded and described as a PDF-to-Word converter, but the documented interface supports many other formats and even image-to-document workflows. Overbroad hidden capability increases the attack surface and can cause unintended invocation for tasks the user did not mean to authorize.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Automatic downloading of license and model files from remote servers introduces outbound network access and local file writes that are not inherent to simple local document conversion as advertised. This is risky because it creates supply-chain and data-governance concerns, especially in offline, restricted, or sensitive environments where unannounced network egress is unacceptable.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script automatically downloads executable-dependency material at runtime, including a license file and AI model, and then trusts them without any authenticity verification such as signature or pinned hash validation. If the remote source, TLS trust chain, or distribution path is compromised, an attacker could supply tampered resources that alter behavior, undermine licensing trust, or potentially exploit the native SDK when parsing the downloaded model/file.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger examples use very broad everyday phrases such as 'pdf to word' and 'convert pdf to docx,' which may cause the skill to be invoked more often than intended. While not directly an exploit primitive, overly broad invocation cues can increase accidental execution of a skill that performs downloads and file writes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description does not prominently warn that first use may automatically download large remote artifacts and write them into the local skill directory. This is dangerous because users may expect a local-only converter and unknowingly permit network egress, disk consumption, and persistent local changes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The model download path silently fetches and writes a remote file into the local filesystem with only incidental stderr messaging and no explicit consent or integrity check. In a security-sensitive agent environment, undeclared network access and persistent file creation increase supply-chain and transparency risk, especially because the downloaded model is subsequently loaded by the SDK.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script auto-downloads and persists license.xml if absent, again without explicit consent or authenticity validation. Even if the file is not code, trusting a remotely supplied license artifact can enable configuration tampering, unexpected outbound traffic, and reliance on mutable external infrastructure during execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal