ClawHub

Md Viewer

Security checks across malware telemetry and agentic risk

Overview

This skill openly implements a LAN Markdown viewer with password-protected links and local history, but users should treat the sharing defaults as sensitive.

Install this only if you want Markdown files reachable from other devices on the same local network. Treat generated links and passwords as secrets, avoid sensitive documents, prefer --localhost on untrusted networks, use --no-history if path privacy matters, and stop the server when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no permissions even though its documented behavior includes reading local files, writing persistent history, and exposing content over the network via an HTTP server. This mismatch is dangerous because it hides sensitive capabilities from users and any permission-gating system, reducing informed consent and making risky behavior easier to trigger unexpectedly.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The stated purpose says the skill merely generates a LAN link for viewing a Markdown file, but the documented behavior goes much further: it starts a full web server, manages authentication, accepts arbitrary absolute file paths, and persists viewing history. That mismatch materially increases risk because users may invoke it for a simple preview while unknowingly exposing local files on the LAN and creating long-lived access state.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The server persistently records viewed file paths and exposes them through a history feature, which exceeds the stated viewer purpose and creates a privacy-sensitive inventory of local documents. In a LAN-accessible file viewer, this can disclose filenames, directory structure, and reading activity to anyone who obtains access to the service.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code includes a JSON history API and persistent activity tracking that are not required to render a Markdown file, increasing the attack surface and exposing sensitive metadata about user behavior. Even if content is not leaked, file paths and timestamps can reveal confidential projects, usernames, and host filesystem layout.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad and overlap with common file-viewing requests such as "show me" and "view file," which can cause the skill to activate unexpectedly. In this skill's context, accidental activation is more dangerous because it may expose local Markdown files through a LAN-accessible server and generate shareable links automatically.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description omits a prominent warning that the skill exposes file contents over the local network and relies on authentication material embedded in URLs plus a 30-day persistent cookie. This is dangerous because users may unknowingly share sensitive local files, leak tokens via browser history, logs, or referrers, and leave long-lived access on other devices.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Trigger phrases such as "show me" and "view file" are broad everyday language that can easily match benign requests. In this skill's context, accidental invocation is more dangerous than usual because the action is not just rendering content locally; it may start a LAN-accessible service and expose file paths and content over the network.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The body repeats ambiguous examples like "show me the file" and "view this file" without clarifying that the skill will expose the file through a web server rather than simply display it in-session. Because the skill is network-capable and stores authentication state, this ambiguity materially raises the chance of unintended exposure from routine user phrasing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The description omits key risk disclosures: the skill binds to a LAN IP, serves local file contents over HTTP, and persists authentication via cookies for 30 days. Without a clear warning, users may not understand that invoking a simple file-view action can make content reachable from other devices on the same network and remain accessible after initial sharing.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
History tracking is enabled by default and stores absolute file paths without a clear user-facing disclosure at startup or in the UI. Those paths can reveal sensitive information about the user's system, work products, account names, and documents even if the Markdown contents are never exfiltrated.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal