Url Images To Pdf

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill matches its stated URL-to-PDF purpose, but it unsafely places the supplied URL into a shell command, so a crafted URL could run commands on the user's machine.

Do not run this skill on untrusted or unusual URLs unless the shell-command issue is fixed. If you use it, review the script, install pdfkit carefully, and prefer a patched version that fetches URLs without invoking a shell.

Static analysis

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI05: Unexpected Code Execution

High

What this means

If the agent runs this skill on a maliciously crafted URL, local commands could execute with the same permissions as the user or agent process.

Why it was flagged

The URL argument is inserted directly into a shell command. Shell metacharacters, command substitution, or quotes in a crafted URL could cause arbitrary commands to run under the user's account.

Skill content

const url = process.argv[2]; ... const html = execSync(`curl -sL -A "Mozilla/5.0" "${url}"`, { encoding: 'utf8' });

Recommendation

Replace shell-based curl with a safe HTTP client such as fetch/https, or use execFile/spawn with an argument array and no shell; also validate URLs and reject shell metacharacters.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Installing a global npm package can change the user's Node environment and depends on the package fetched at install time.

Why it was flagged

The skill asks for a global npm package installation without a pinned version or package lock. This is consistent with the PDF-generation purpose, but users should notice the environment change.

Skill content

pdfkit 已安装: `npm install -g pdfkit`

Recommendation

Prefer a local, pinned dependency with a package manifest/lockfile, or verify the npm package before installing it globally.