ClawHub

Compress PDF

Security checks across malware telemetry and agentic risk

Overview

This skill matches its stated purpose, but users should know it sends their selected PDF to an external compression service.

Install only if you are comfortable sending selected PDFs to Cross-Service-Solutions and receiving a third-party-hosted download URL. Avoid sensitive, regulated, or confidential documents unless the provider is approved for that data; use a dedicated API key where possible and keep it out of logs or shared chat text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README explicitly instructs users to upload PDFs to a third-party service but does not disclose the privacy, confidentiality, retention, or compliance implications of sending document contents off-platform. This is dangerous because users may unknowingly transmit sensitive documents to an external processor and then receive a third-party-hosted download URL, creating data exposure and governance risks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill sends user-provided PDFs to an external third-party service for processing, but it does not prominently warn about the privacy and data-transfer implications before use. PDFs often contain sensitive business, legal, financial, or personal information, so silent external upload can cause unintended disclosure and compliance issues.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill uploads the user-provided PDF to a third-party service, but the code provides no explicit user-facing disclosure, consent check, or privacy warning before transmitting potentially sensitive document contents off-host. In an agent-skill context, users may reasonably assume local processing, so silent external transfer increases confidentiality and compliance risk.

External Transmission

Medium
Category
Data Exfiltration
Content
- Register / get key: https://login.cross-service-solutions.com/register

## How it works
1) Upload PDF to `POST https://api.xss-cross-service-solutions.com/solutions/solutions/api/29`
2) Poll `GET https://api.xss-cross-service-solutions.com/solutions/solutions/api/<job_id>` until done
3) Return `output.files[0].path` as the download URL
Confidence
95% confidence
Finding
https://api.xss-cross-service-solutions.com/

External Transmission

Medium
Category
Data Exfiltration
Content
## How it works
1) Upload PDF to `POST https://api.xss-cross-service-solutions.com/solutions/solutions/api/29`
2) Poll `GET https://api.xss-cross-service-solutions.com/solutions/solutions/api/<job_id>` until done
3) Return `output.files[0].path` as the download URL

## Defaults
Confidence
90% confidence
Finding
https://api.xss-cross-service-solutions.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal