ClawHub

Book To Skills

Security checks across malware telemetry and agentic risk

Overview

The skill does what it advertises, but it installs generated skills persistently and can silently install Python packages, so users should review it before use.

Install only if you are comfortable with it creating persistent WorkBuddy skills from book content and installing Python dependencies. Prefer reviewing generated SKILL.md files before copying them into ~/.workbuddy/skills, use a sandbox or disposable environment for untrusted books, and remove generated skills that have broad or unwanted triggers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
        import subprocess
        python = str(Path.home() / ".workbuddy/binaries/python/envs/default/bin/python3")
        subprocess.run([python, "-m", "pip", "install", "ebooklib", "beautifulsoup4", "-q"], check=True)
        from ebooklib import epub
        from bs4 import BeautifulSoup
Confidence
91% confidence
Finding
subprocess.run([python, "-m", "pip", "install", "ebooklib", "beautifulsoup4", "-q"], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
        import subprocess, pathlib
        python = str(pathlib.Path.home() / ".workbuddy/binaries/python/envs/default/bin/python3")
        subprocess.run([python, "-m", "pip", "install", "pdfplumber", "-q"], check=True)
        import pdfplumber

    if not os.path.exists(input_path):
Confidence
92% confidence
Finding
subprocess.run([python, "-m", "pip", "install", "pdfplumber", "-q"], check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs use of shell commands and file writes, including package installation and writing generated skills into local directories, but declares no permissions or safety boundaries. This creates a trust gap where a user or platform may not realize the skill can modify the filesystem and invoke command execution.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
For a book-to-skills EPUB extraction utility, installing Python packages during execution is unnecessary and risky because processing a user-supplied EPUB can trigger dependency installation and execution paths unrelated to simple parsing. This creates avoidable supply-chain exposure and weakens environment integrity in a context that should be limited to deterministic local extraction.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Installing pdfplumber during PDF extraction is not necessary to process a user-supplied book and expands the skill's privileges beyond its stated purpose. This creates a supply-chain exposure because the skill reaches out to install and execute third-party code at runtime, increasing the blast radius if package sources or the environment are compromised.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that generated skill packages are directly installed into the local ~/.workbuddy/skills/ directory with no explicit warning, review step, or opt-in. Auto-installing generated artifacts is risky because it persists new agent behavior locally and could enable later unintended execution, trigger collisions, or propagation of unsafe content from the analyzed book into installed skills.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The generated knowledge skill is instructed to trigger when the user mentions the book, author, or core concepts, which are broad and commonly occurring references. Overly broad triggers can cause accidental invocation, incorrect routing of unrelated user requests, and make auto-installed skills harder to control once persisted locally.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The action-skill trigger guidance includes generic method names and related keywords without strict disambiguation. If such skills are installed locally, common phrases may unintentionally activate them, leading to incorrect behavior or unexpected execution paths in later sessions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
These installation steps direct the agent to create directories and write files under the user's persistent skill directory without an explicit safety warning or approval gate. Persistent modification of the agent's skill set is security-relevant because it changes future behavior beyond the current task and may install unsafe or overly broad generated skills.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Telling users they can directly say a concept name to auto-trigger the knowledge skill encourages ambiguous triggers that are likely to collide with ordinary conversation. In a system with persistent installed skills, this increases the chance of accidental activation and unpredictable routing across unrelated tasks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script automatically installs a package without any warning, confirmation, or policy check, so a simple document-processing action can unexpectedly modify the host environment. In a skill that handles untrusted user-provided books, silent dependency installation is more dangerous because users may not expect network access or package execution as part of content extraction.

Session Persistence

Medium
Category
Rogue Agent
Content
## Step 5: Install & Deliver

### 5.1 Create Output Directory

```bash
mkdir -p ~/workbuddy-output/{YYYY-MM-DD}-book-to-skills/{book-slug}/
Confidence
87% confidence
Finding
Create Output Directory ```bash mkdir -p ~/workbuddy-output/{YYYY-MM-DD}-book-to-skills/{book-slug}/ ``` ### 5.2 Install Skills Locally For each generated skill, create the directory under `~/.work

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal