ClawHub

Redact

Security checks across malware telemetry and agentic risk

Overview

This redaction skill mostly matches its stated purpose, but it can expose or leave behind unredacted sensitive text during normal logging, debug output, and OCR processing.

Review before installing. Use only on local files you are comfortable processing with OCR and Office converters, avoid debug modes for real PII, clear temporary PPStructure/redact cache files after use, and treat terminal logs as potentially sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"  if ($word -ne $null) { $word.Quit() } "
                "}"
            )
            result = subprocess.run(
                ["powershell", "-NoProfile", "-Command", command],
                capture_output=True,
                text=True,
Confidence
82% confidence
Finding
result = subprocess.run( ["powershell", "-NoProfile", "-Command", command], capture_output=True, text=True, timeout=180,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
end try
end tell
'''
            result = subprocess.run(
                ["osascript", "-e", script],
                capture_output=True,
                text=True,
Confidence
78% confidence
Finding
result = subprocess.run( ["osascript", "-e", script], capture_output=True, text=True, timeout=180, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises scripts that can read files, write outputs, inspect environment-backed runtime state, and invoke shell-based setup/actions, but it does not declare any permissions. That creates a transparency and policy-enforcement gap: an agent or reviewer may treat the skill as lower risk than it actually is, even though it processes sensitive local documents and produces transformed outputs. In a redaction skill, undeclared capabilities are especially sensitive because the inputs are likely to contain PII and confidential material.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill is presented as a privacy redaction tool, but the documentation also describes broad document-reading, OCR extraction, structured JSON export, and info/debug-style output that can reveal the very sensitive contents users expect to be protected. This mismatch is dangerous because a user may invoke the skill to sanitize files, while the skill also exposes raw text and OCR data that could be logged, returned, or mishandled before redaction occurs. In this context, extra extraction features materially increase privacy risk rather than being incidental.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The implementation is a document-reading and OCR extraction tool, not a redaction utility as advertised. In a privacy/redaction context, this mismatch is dangerous because users may believe sensitive data will be masked when the skill actually extracts and reproduces it, increasing the chance of disclosure.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script prints and optionally saves extracted document text, which is the opposite of redaction. In a privacy-oriented skill, that creates a high risk of exposing PII or confidential content to logs, terminal history, or disk files when users expected sanitization.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill launches Word, PowerShell, AppleScript, and LibreOffice to process files, which is much broader and more privileged behavior than a narrowly described redaction toolkit suggests. This expands the attack surface and can open untrusted documents in complex desktop applications, increasing risk from malformed or malicious files.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The debug path writes full OCR/structure JSON and an annotated image containing all detected text and locations to disk. In a privacy-redaction skill, this creates new derivative artifacts that may expose the very sensitive data the tool is supposed to remove, especially if output directories are shared, synced, or retained. The skill context makes this more dangerous because users are likely processing PII and may reasonably expect privacy-preserving behavior by default.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The debug-only path serializes full extracted PDF text spans and OCR regions to JSON and also renders debug images with visible text labels. In a privacy-redaction tool, this creates additional plaintext artifacts containing the very sensitive data users are trying to remove, increasing exposure through logs, output directories, backups, and accidental sharing.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The CLI help text describes debug mode as visualization-oriented, but the implementation for PDF text pages writes the original matched sensitive text back onto the document in red. Users may enable debug expecting safe inspection and instead produce an output file that preserves or highlights secrets, which is especially risky in a redaction workflow.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The skill launches an external LibreOffice process to convert legacy .ppt files, which expands the trust boundary from in-process parsing to a large third-party office suite. Processing attacker-supplied presentation files through LibreOffice can expose the host to parser vulnerabilities or unexpected file access behavior, especially in an automated agent context handling untrusted documents.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The tool converts Office files by launching external applications and writing temporary PDFs in a fixed cache directory without clearly informing the user. In a privacy-focused context, silent file creation and external app execution can leak sensitive content to disk and surprise users who expected contained redaction processing.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The --save option writes extracted document content to an arbitrary path without any warning that the content may contain highly sensitive information. In this skill’s privacy/redaction context, that increases the risk of accidental persistence and secondary disclosure of the very data users are trying to protect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The tool emits OCR-extracted text, text span content, and page metadata to debug JSON/images without a strong privacy warning or minimization. For a skill specifically intended to redact PII, this undermines the trust boundary by duplicating sensitive content into new files that may be less protected than the source document.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The OCR pipeline writes extracted JSON results containing slide text to temporary directories on disk, which can persist sensitive contents outside the final redacted file. In a privacy-redaction tool, creating undeclared plaintext artifacts materially increases confidentiality risk if other users, processes, backups, or logs can access temp storage.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script logs both the sensitive target text and replacement values to stderr during redaction. Because this tool is specifically meant to handle PII and confidential data, such logging can leak the very secrets the user is trying to remove into terminal history, orchestrator logs, or monitoring systems.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The image-redaction path logs the matched text and surrounding OCR region content, potentially exposing sensitive slide text extracted from images. In a redaction workflow this is particularly dangerous because OCR-derived secrets may end up stored in service logs even if the output presentation is properly sanitized.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal