ClawHub

Baoyu Format Markdown

Security checks across malware telemetry and agentic risk

Overview

This formatter is not clearly malicious, but it needs Review because it can overwrite local files and runs an undeclared external formatter through npx despite mixed non-destructive promises.

Install only if you are comfortable with a formatter that may create extra analysis/backup files, alter article metadata and structure, and in one mode modify the original file directly. Prefer running it on copies or in a clean git branch, and disable spacing or review the autocorrect-node dependency path unless you trust npx runtime package execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill presents itself as a formatter, but its workflow creates a separate analysis file and may modify the original file directly. Hidden side effects increase the risk of unintended data changes, repository noise, and user surprise, especially in automated agent environments where the description may be used to assess safety.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill claims it will only adjust formatting and not add content, but later instructions direct the agent to generate frontmatter, titles, summaries, headings, tables, and blockquotes. That inconsistency can cause unauthorized semantic changes to user content under the guise of harmless formatting, which is especially risky for documents where exact wording matters.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documented core principle says not to add, delete, or rewrite content, yet the workflow later instructs creation of new metadata and structural elements. Contradictory instructions are dangerous because they make operator expectations unreliable and can lead agents to exceed the user’s intended authorization boundary.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill executes an external CLI through `npx`, which can fetch and run package code at execution time depending on environment state. That introduces a software supply-chain risk and expands trust beyond the reviewed repository, especially for a formatting skill that users would not expect to spawn external package code.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The manifest describes markdown/article formatting, but the implementation performs generic autocorrection via an external CLI. This capability mismatch is dangerous because it can cause users or reviewers to underestimate what code is being run and what files may be modified, reducing informed consent and review quality.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The implementation overwrites the input file with writeFileSync(filePath, formattedContent, 'utf-8') even though the skill metadata promises output to a separate '{filename}-formatted.md' file. This mismatch can cause silent data loss, break user workflows, and violate user expectations about non-destructive formatting behavior.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow includes creating, backing up, and overwriting output files without prominently warning users in the summary description. In agent-driven environments, understated write behavior can lead to unintended file churn, clobbered outputs, or repository modifications that users did not knowingly authorize.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented option to run typography fixes directly on the original file is a destructive behavior presented without a prominent safety warning. In-place modification is significantly more dangerous than writing to a separate file because mistakes, encoding issues, or tool bugs can alter the only copy the user intended to preserve.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code launches a subprocess without any in-file warning, confirmation, or disclosure that external tooling will be executed on user-supplied paths. In this skill context, that is more dangerous because a seemingly simple formatting action may unexpectedly run third-party code and modify files, violating user expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill modifies the target file in place without an explicit prior warning or confirmation, making destructive changes easy to trigger accidentally. In a formatting tool, this is particularly risky because users may expect a preview or separate output file and can lose original content or formatting that cannot be easily recovered.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal