ClawHub

Article to Infographic

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do the advertised infographic work, but its PNG export helper can silently install Python packages and Chromium at runtime, which is more host-changing than users would reasonably expect.

Review this skill before installing. It is not backed by evidence of malware, but running PNG export may download and install Playwright and Chromium and may modify the Python environment. Use it only in a sandbox or after manually provisioning dependencies, and avoid giving it sensitive local files unless you are comfortable with browser-based rendering of that content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)
    if chromium_check.returncode != 0 or "chromium" not in chromium_check.stdout.lower():
        print("[html_to_png] Installing chromium browser...", file=sys.stderr)
        subprocess.check_call(
            [sys.executable, "-m", "playwright", "install", "chromium"],
            stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL
        )
Confidence
88% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "playwright", "install", "chromium"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import playwright
    except ImportError:
        print("[html_to_png] Installing playwright...", file=sys.stderr)
        subprocess.check_call(
            [sys.executable, "-m", "pip", "install", "playwright", "-q",
             "--break-system-packages"],
            stdout=subprocess.DEVNULL
Confidence
92% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", "playwright", "-q", "--break-system-packages"], stdout=subprocess.DEVNULL )

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill invokes shell-capable behavior for PNG export via `python3` and likely local server/browser tooling, yet declares no permissions. Hidden execution capability increases the attack surface because users and policy systems cannot accurately assess or gate subprocess execution, dependency installation, or local file handling.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill claims to generate infographics, but it also instructs the agent to run browser automation, take screenshots of local content, and auto-install Playwright/Chromium. This mismatch is dangerous because users may authorize a content-transformation skill without realizing it can execute tooling, modify the environment, and access/render local files during export.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The skill first requires output format confirmation before generation/export, then later says to ask again after HTML delivery whether to export PNG. This contradictory flow can cause agents to bypass earlier consent boundaries and perform additional file rendering or browser automation that the user did not clearly approve in the required confirmation step.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script bundles self-installation behavior for Playwright and Chromium into a utility whose expected purpose is only rendering HTML to PNG. This is dangerous because it performs privileged environment-changing actions and network-based software retrieval implicitly, creating supply-chain and host-modification risk disproportionate to the task.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The invocation language is broad enough to match common summarization, visualization, or content-conversion requests, which can cause the skill to activate in situations where the user did not intend file access, web fetching, HTML generation, or export automation. Over-broad triggering increases the chance of unintended capability use and unsafe processing of URLs/files.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill instructs the agent to read URLs/files and later write output files, but it does not require an explicit warning or consent about local file access, network retrieval, and file creation side effects. That omission is risky because users may supply ambiguous inputs without understanding that local content will be accessed or artifacts will be written to disk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Automatically installing Playwright and Chromium without explicit confirmation or warning means a user invoking a document conversion helper may unknowingly trigger package and browser installation. In an agent skill, that hidden side effect is more dangerous because tools can be run non-interactively, making unauthorized system changes more likely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal