Back to skill

Security audit

FapiaoClaw

Security checks across malware telemetry and agentic risk

Overview

This invoice-organizing skill is local and mostly purpose-aligned, but it should be reviewed because it can permanently delete and move many files without a dry run or confirmation.

Install only if you are comfortable giving the skill write access to a specific invoice directory. Run it on a copy or backup first, avoid broad paths like your home directory or a project root, and prefer a version that adds dry-run output, explicit confirmation, file-type restrictions, quarantine instead of deletion, and a pinned PyMuPDF version at or above the fixed release.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The function is described as duplicate handling, but it deletes any later file with the same MD5 hash across the entire tree without checking file type, location, or whether the user intended deduplication. In a skill context that operates on arbitrary user directories, this can destroy legitimate files and MD5 is also a weak collision-resistant identifier for irreversible deletion decisions.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The function name and description imply a read-only content check, but it silently relocates every processed PDF into invoices or invoices/unknown. This mismatch is dangerous because users or calling agents may invoke it expecting inspection only, leading to unexpected bulk file reorganization and possible downstream workflow disruption.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to run a workflow that fixes filenames, removes duplicates, removes files deemed invalid, and moves files into other directories, but it does not require any confirmation or warning that the target directory will be modified. In an agent setting, this creates a real risk of unintended destructive actions against user data, especially if the directory is broad, ambiguous, or incorrectly extracted from the prompt.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code irreversibly deletes files deemed duplicates with no prompt, dry run, backup, or recycle-bin behavior. In an agent skill, this is especially risky because the operation may be triggered automatically on broad directories, causing accidental data loss that is hard to recover.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Any file whose name contains the keyword is deleted outright without confirmation or scoping to invoice PDFs. This broad substring match can remove unrelated files and is more dangerous in this skill because it recursively traverses the target directory and performs permanent deletion automatically.

Missing User Warnings

Low
Confidence
88% confidence
Finding
Bulk moves are less severe than deletion, but they still mutate the user's filesystem without an explicit warning or approval step. Because the skill recursively processes PDFs and classifies them using extracted text, false matches or OCR/text-extraction issues can unexpectedly relocate large numbers of files.

Unpinned Dependencies

Low
Category
Supply Chain
Content
PyMuPDF
Confidence
96% confidence
Finding
PyMuPDF

Known Vulnerable Dependency: PyMuPDF — 1 advisory(ies): CVE-2026-3029 (PyMuPDF has a path traversal in _main_.py)

Low
Category
Supply Chain
Confidence
92% confidence
Finding
PyMuPDF

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.