ClawHub

PDF Toolkit Pro

Security checks across malware telemetry and agentic risk

Overview

This is a local PDF utility whose file access matches its purpose, with dependency hygiene issues but no evidence of hidden, deceptive, or exfiltrating behavior.

Install only if you are comfortable with npm dependencies being fetched at install time. For sensitive PDFs or production use, pin dependencies, add a lockfile, update glob to a patched version, and verify outputs because the PDF-to-image feature currently produces per-page PDF files rather than actual images.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Unpinned Dependencies

Low
Category
Supply Chain
Content
"batch": "node scripts/batch.js"
  },
  "dependencies": {
    "pdf-lib": "^1.17.1",
    "sharp": "^0.33.0",
    "pdf2pic": "^3.1.0",
    "commander": "^11.0.0",
Confidence
88% confidence
Finding
"pdf-lib": "^1.17.1"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "pdf-lib": "^1.17.1",
    "sharp": "^0.33.0",
    "pdf2pic": "^3.1.0",
    "commander": "^11.0.0",
    "glob": "^10.3.0"
Confidence
88% confidence
Finding
"sharp": "^0.33.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "pdf-lib": "^1.17.1",
    "sharp": "^0.33.0",
    "pdf2pic": "^3.1.0",
    "commander": "^11.0.0",
    "glob": "^10.3.0"
  },
Confidence
89% confidence
Finding
"pdf2pic": "^3.1.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"pdf-lib": "^1.17.1",
    "sharp": "^0.33.0",
    "pdf2pic": "^3.1.0",
    "commander": "^11.0.0",
    "glob": "^10.3.0"
  },
  "keywords": ["pdf", "merge", "split", "compress", "convert", "automation"],
Confidence
84% confidence
Finding
"commander": "^11.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"sharp": "^0.33.0",
    "pdf2pic": "^3.1.0",
    "commander": "^11.0.0",
    "glob": "^10.3.0"
  },
  "keywords": ["pdf", "merge", "split", "compress", "convert", "automation"],
  "author": "AI-Company",
Confidence
95% confidence
Finding
"glob": "^10.3.0"

Known Vulnerable Dependency: glob==10.3.0 — 1 advisory(ies): CVE-2025-64756 (glob CLI: Command injection via -c/--cmd executes matches with shell:true)

High
Category
Supply Chain
Confidence
97% confidence
Finding
glob==10.3.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal