ClawHub
Back to skill

Security audit

Content Alchemy

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it turns user-provided text, URLs, and PDFs into notes, with disclosed local helper scripts and saved long-PDF progress.

Install only if you are comfortable with the skill fetching URLs you provide, running local PDF extraction tools, and saving long-PDF notes and progress locally in plaintext under ~/.content-alchemy/sessions. Avoid --insecure unless you deliberately need TLS troubleshooting, and delete saved session files when they contain sensitive material you no longer need.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes Python scripts that read PDFs and web content, write markdown/session artifacts, use shell commands, and can perform network access, yet it declares no permissions or trust boundary information. This creates a transparency and governance gap: operators and users may authorize the skill without realizing it can fetch remote content and persist local state, increasing the chance of unintended data exposure or unsafe execution in restricted environments.

Tp4

High
Category
MCP Tool Poisoning
Confidence
85% confidence
Finding
The published description frames the skill as content transformation, but the instructions also implement persistent PDF session management, local storage of results/state, session discovery/resume, and direct URL fetching. This mismatch is dangerous because users may provide sensitive documents or URLs under the assumption of ephemeral summarization, while the skill actually stores artifacts and reaches out to the network, expanding the attack surface and privacy risk.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The README states that long-PDF reading artifacts and session state are persistently saved under a user home-directory path, but it does not clearly warn users that potentially sensitive document-derived content, progress metadata, and summaries will remain on disk across sessions. For a skill that processes arbitrary PDFs and articles, this can expose confidential reading material to other local users, backups, endpoint monitoring, or later unintended reuse if users assume processing is ephemeral.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The guide states that long-document session data is stored under ~/.content-alchemy/sessions and lists artifacts such as reading plans, segment outputs, and checkpoint summaries, but it does not mention user notice, consent, retention, or protection. Because these artifacts may contain excerpts or derived content from sensitive documents, silent local persistence can expose private data to other local users, backups, syncing tools, or later unintended access.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script can write extracted PDF text and metadata directly to a user-specified output file, which may persist sensitive document contents to disk without any warning, consent checkpoint, or safeguards. In a content-extraction skill, this is more dangerous because users are likely to process private PDFs and may not realize the full text is being stored in plaintext JSON.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The manifest explicitly advertises persistent reading progress and cross-session resume behavior, but provides no user-facing disclosure about what data is stored, how long it is retained, or how users can control or delete it. Because this skill processes articles, web pages, and PDFs that may contain sensitive personal or business information, undisclosed persistence increases privacy and data-retention risk even if no overtly malicious behavior is described.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal