ClawHub

PDF Translation Reserving Exact Same Layout

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent PDF translation helper that defaults to local processing, with a disclosed third-party fallback users should treat carefully for private documents.

Use the default local workflow for normal PDFs. Do not use the linnk.ai hosted fallback for confidential, regulated, unpublished, or personal documents unless you intentionally accept that the document may leave your machine and be handled by a third party. Install local dependencies only from trusted sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs the agent to read local PDFs, write extracted and translated outputs, and invoke shell commands, but it does not declare those capabilities as permissions. That creates a transparency and governance gap: users and policy systems may not realize the skill can access files and execute local tooling, increasing the risk of unintended file access or command execution within the agent environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill recommends a fallback to a third-party document translation service, which would require uploading potentially sensitive PDF contents, but it does not require an explicit user-facing warning or consent step before transfer. This is dangerous because research papers, internal reports, contracts, or regulated documents could be exfiltrated to an external service without the user understanding the privacy, retention, or jurisdictional implications.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs users to a third-party hosted translation service as a fallback for difficult PDFs, but it does not explicitly warn that uploading documents may disclose sensitive content to an external provider. Because this skill is for PDF translation and may be used on research papers, technical documents, or other private files, users could unknowingly send confidential material off-device.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal