ClawHub

Convert to PDF

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned but sends selected documents and an API key to an external PDF conversion service, so sensitive files need extra caution.

Install only if you are comfortable sending the selected documents to Cross-Service-Solutions for processing. Use non-sensitive test files first, protect the API key, avoid confidential or regulated documents unless the provider's privacy and retention terms meet your needs, and prefer a scoped or disposable key where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to upload user-provided documents to a third-party service but does not prominently warn about the privacy, confidentiality, and cross-border data-transfer implications. This is especially risky because document conversion commonly involves sensitive content, and users may not realize their files leave the local environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script is explicitly designed to upload local files to a third-party service for conversion, but it does not provide a clear user-facing warning at runtime that document contents will leave the local system. In a skill context, this can cause accidental disclosure of sensitive data because users may invoke it assuming a local conversion operation.

External Transmission

Medium
Category
Data Exfiltration
Content
import requests


DEFAULT_BASE_URL = "https://api.xss-cross-service-solutions.com/solutions/solutions"
CREATE_PATH = "/api/31"
Confidence
91% confidence
Finding
https://api.xss-cross-service-solutions.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal