ClawHub

Merge Reimbursement PDFs

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its PDF-merging purpose, but it can automatically install Python packages and LibreOffice through system package managers unless disabled.

Review before installing. Use this only in an environment where it is acceptable for a document tool to install Python packages and possibly LibreOffice, or run it with --no-auto-install after manually installing trusted, pinned dependencies. Avoid pointing it at broad folders; use a dedicated reimbursement folder and review the generated report and thumbnails.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("LibreOffice/soffice not found. Attempting automatic install...", file=sys.stderr)
    for command in commands:
        result = subprocess.run(command, check=False)
        if result.returncode != 0:
            raise RuntimeError(f"automatic LibreOffice install failed while running: {' '.join(command)}")
Confidence
97% confidence
Finding
result = subprocess.run(command, check=False)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not AUTO_INSTALL_DEPS:
            raise
        print(f"Installing missing Python package: {package_name}", file=sys.stderr)
        subprocess.check_call([sys.executable, "-m", "pip", "install", package_name])
        return importlib.import_module(module_name)
Confidence
98% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", package_name])

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises executable behavior involving shell access, environment access, and file writes but declares no permissions. That creates a trust and review gap: users or platforms may treat it as lower-risk than it is, while it can still modify files and invoke external commands. In this context, the risk is increased because the documented workflow includes package installation and document generation, both of which can materially change the host system and filesystem.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior exceeds the stated core purpose by including automatic pip installs, system package manager installs, report generation, thumbnail rendering, and multi-output folder processing. This mismatch is dangerous because users may consent to a simple local PDF merge while the skill also performs networked dependency installation and broader system changes, expanding the attack surface significantly. The skill context makes this more dangerous because package-manager execution is far more sensitive than ordinary document processing.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Automatic installation of LibreOffice via brew, winget, choco, apt-get, dnf, or yum allows the skill to alter the host system beyond the expected scope of merging reimbursement PDFs. Running package managers can introduce supply-chain risk, require elevated privileges, change system state, and execute additional install scripts, which is disproportionate for a document-processing skill. The context increases severity because this occurs as a convenience feature rather than a clearly separated administrative setup step.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill description suggests document merging, but the code also installs Python packages automatically and later can install LibreOffice. This hidden expansion of capabilities is security-relevant because it performs software installation and external dependency acquisition beyond the user's likely expectations for a local merge utility.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This code explicitly invokes OS package managers to install LibreOffice, which may modify the host system and often requires elevated privileges. In the context of a document-processing skill, that behavior is dangerous because it can unexpectedly change system state and execute package-manager transactions without a separate installation workflow.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code installs missing Python packages via pip during normal execution, introducing remote dependency retrieval and code installation at runtime. In a skill meant to merge reimbursement files, that behavior meaningfully increases risk because it extends trust to package repositories and executes newly fetched code on the user's machine.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Automatic installation of Python packages and potentially LibreOffice occurs by default unless the user disables it, and the script provides no meaningful upfront consent gate. That makes the behavior risky from a software-safety perspective because users invoking a file-merging tool may not realize it can perform network installs and system changes.

Unpinned Dependencies

Low
Category
Supply Chain
Content
PyMuPDF>=1.23
Pillow>=10
openpyxl>=3.1
Confidence
93% confidence
Finding
PyMuPDF>=1.23

Unpinned Dependencies

Low
Category
Supply Chain
Content
PyMuPDF>=1.23
Pillow>=10
openpyxl>=3.1
Confidence
96% confidence
Finding
Pillow>=10

Unpinned Dependencies

Low
Category
Supply Chain
Content
PyMuPDF>=1.23
Pillow>=10
openpyxl>=3.1
Confidence
91% confidence
Finding
openpyxl>=3.1

Known Vulnerable Dependency: PyMuPDF — 1 advisory(ies): CVE-2026-3029 (PyMuPDF has a path traversal in _main_.py)

Low
Category
Supply Chain
Confidence
71% confidence
Finding
PyMuPDF

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
95% confidence
Finding
Pillow

Known Vulnerable Dependency: openpyxl — 2 advisory(ies): CVE-2017-5992 (Improper Restriction of XML External Entity Reference in Openpyxl); CVE-2017-5992 (Openpyxl 2.4.1 resolves external entities by default, which allows remote attack)

High
Category
Supply Chain
Confidence
90% confidence
Finding
openpyxl

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal