ClawHub

Poster Forge

Security checks across malware telemetry and agentic risk

Overview

Poster Forge is a real poster generator, but its default workflow can send prompts to a third party and its HTML mode renders unescaped user text in an unsandboxed browser.

Review before installing. Use only non-sensitive prompt and poster text, prefer local text mode for private content, and avoid HTML mode with untrusted text unless the skill is updated to escape HTML input and run Chromium with proper sandboxing or equivalent isolation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return False

    tmp_name = "pf_screenshot.png"
    result = subprocess.run([
        chromium, "--headless", "--disable-gpu", "--no-sandbox",
        f"--window-size={width},{height}",
        f"--screenshot={tmp_name}",
Confidence
97% confidence
Finding
result = subprocess.run([ chromium, "--headless", "--disable-gpu", "--no-sandbox", f"--window-size={width},{height}", f"--screenshot={tmp_name}", f"file://{html_fil

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation indicates capabilities to write files, use the network, and invoke shell commands, but it does not declare permissions or provide guardrails. This can lead to unexpected execution of privileged actions, especially in agent environments where undeclared capabilities reduce transparency and make user consent or policy enforcement harder.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
This is a true vulnerability: the HTML rendering path starts an external browser with sandboxing disabled while feeding it HTML built from untrusted user input. Because this skill is specifically intended to render arbitrary poster text and template content, the attack surface is directly reachable and the disabled sandbox removes an important defense-in-depth layer against browser-based compromise or local file exposure.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger list includes broad phrases like “generate image”, “create cover”, and “画图”, which can match many benign user requests and cause the skill to activate unexpectedly. Unintended invocation is risky here because the skill can perform network access, shell execution, and file writes, potentially exposing data or performing actions the user did not specifically request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that the AI engine uses Pollinations.ai and is network-dependent, but it does not clearly warn users that prompt content may be sent to an external third-party service. If users include sensitive text, names, or proprietary content in the poster prompt, that data could be disclosed off-platform without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal