ClawHub

Universal Watermarker

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PDF and image watermarking skill with disclosed local output behavior and some supply-chain cautions, but no evidence of deception, credential access, exfiltration, or destructive activity.

Install only if you are comfortable with it creating wm_-prefixed files next to your originals and, when setup_environment is run, downloading a font from GitHub. For sensitive or untrusted PDFs/images, run it in an isolated environment and prefer pinned, audited dependency versions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill performs an automatic network download of a font from GitHub at runtime, which expands the trust boundary beyond local watermarking and introduces supply-chain and availability risk. If the remote content changes, is intercepted, or becomes unavailable, the skill may fail or consume untrusted binary data without integrity verification.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation guidance tells the LLM to auto-select behavior from broad everyday phrases like “防伪”, “机密保护”, and “铺满” without clear scope checks or confirmation. This can cause the skill to trigger or escalate into more invasive document modification than the user explicitly requested, increasing the risk of unintended file changes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill states that processed files are written into the source file directory and names them automatically, but it does not require an explicit warning or confirmation before modifying local data. In a file-processing skill, silent writes to user directories can lead to confusion, accidental overwrites in edge cases, data handling surprises, and unsafe operation on sensitive files.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pypdf>=3.0.0
reportlab>=4.0.0
Pillow>=10.0.0
Confidence
95% confidence
Finding
pypdf>=3.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pypdf>=3.0.0
reportlab>=4.0.0
Pillow>=10.0.0
Confidence
98% confidence
Finding
reportlab>=4.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pypdf>=3.0.0
reportlab>=4.0.0
Pillow>=10.0.0
Confidence
97% confidence
Finding
Pillow>=10.0.0

Known Vulnerable Dependency: pypdf — 10 advisory(ies): CVE-2026-24688 (pypdf has possible Infinite Loop when processing outlines/bookmarks); CVE-2026-27628 (pypdf has a possible infinite loop when loading circular /Prev entries in cross-); CVE-2026-40260 (pypdf: Manipulated XMP metadata entity declarations can exhaust RAM) +7 more

Low
Category
Supply Chain
Confidence
91% confidence
Finding
pypdf

Known Vulnerable Dependency: reportlab — 6 advisory(ies): CVE-2023-33733 (Reportlab vulnerable to remote code execution); CVE-2020-28463 (Server-side Request Forgery (SSRF) via img tags in reportlab); CVE-2019-19450 (ReportLab vulnerable to remote code execution via paraparser) +3 more

Critical
Category
Supply Chain
Confidence
99% confidence
Finding
reportlab

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
98% confidence
Finding
Pillow

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal