ClawHub

Add watermark to PDF

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims: it uploads selected PDFs and watermark text to a disclosed third-party API to create watermarked files.

Install only if you are comfortable sending the selected PDFs, filenames, watermark text, and API-authenticated requests to Cross-Service-Solutions. Avoid confidential or regulated PDFs unless that service is approved for your use, keep the API key secret and revocable, and do not set SOLUTIONS_BASE_URL or --base-url unless you intentionally trust that destination.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README describes uploading PDFs and watermark text to an external Solutions API but does not clearly warn users that their documents and text content are transmitted to a third-party service. This is a real transparency and data-handling issue because users may unknowingly send sensitive or regulated documents off-platform.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill sends user-provided PDF files and watermark text to a third-party API, but the user-facing description does not prominently warn about this external transmission. That creates a privacy and data-handling risk because users may provide sensitive documents or confidential watermark text without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script uploads local PDF contents and user-supplied watermark text to a third-party remote API, but it provides no explicit user-facing consent prompt or warning at execution time about external data transfer. Because PDFs often contain sensitive business or personal information, this can lead to unintended disclosure when users assume processing is local.

External Transmission

Medium
Category
Data Exfiltration
Content
## How it works
1) Upload PDFs + watermark text to:
   `POST https://api.xss-cross-service-solutions.com/solutions/solutions/api/61`
2) Poll:
   `GET  https://api.xss-cross-service-solutions.com/solutions/solutions/api/<job_id>`
3) Return `output.files[].path` as download URL(s)
Confidence
90% confidence
Finding
https://api.xss-cross-service-solutions.com/

External Transmission

Medium
Category
Data Exfiltration
Content
1) Upload PDFs + watermark text to:
   `POST https://api.xss-cross-service-solutions.com/solutions/solutions/api/61`
2) Poll:
   `GET  https://api.xss-cross-service-solutions.com/solutions/solutions/api/<job_id>`
3) Return `output.files[].path` as download URL(s)

## Script (CLI)
Confidence
88% confidence
Finding
https://api.xss-cross-service-solutions.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal