Openclaw Skill

Security checks across malware telemetry and agentic risk

Overview

This skill does what it describes: it uploads user-selected PDFs to Shelv for processing and saves the resulting Markdown files locally.

Install only if you are comfortable sending selected PDFs to shelv.dev for processing. Use a revocable Shelv API key when possible, avoid regulated or confidential documents unless approved by your organization, and use --force only when you intend to replace an existing hydrated shelf.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill clearly invokes shell-based capabilities (`curl`, `tar`, `jq`, `shasum`) and performs file/network operations, yet no explicit permissions are declared beyond metadata requirements. This creates a transparency and policy-enforcement gap: users and platforms may not realize the skill can transmit local documents externally and write extracted content into the workspace.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The description frames the skill primarily as a local PDF-to-Markdown workflow, but the documented behavior depends on uploading document contents to a third-party API, polling remote state, and downloading processed results using an API key. That mismatch can cause users to expose sensitive PDFs under the false impression that processing is local or self-contained.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script sends the supplied PDF to an external service and creates a remote resource, while the skill description emphasizes local Markdown filesystem hydration for exploration with Unix tools. This mismatch is security-relevant because users may reasonably expect local-only processing and could unknowingly transmit sensitive document contents off-host to a third-party API.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: This script requires both document upload and an API key, meaning sensitive file contents and credentials are involved in a network operation that is not evident from the stated local-filesystem-oriented purpose. In the context of an agent skill, this increases risk because a user may invoke it expecting local processing, leading to unintended exfiltration of proprietary or regulated PDFs to an external service.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README explicitly instructs users to upload PDFs to a third-party service and later hydrate extracted content into the local workspace, but it does not clearly warn that document contents leave the local environment or that remote-produced files will be materialized on disk. In an agent skill context, this can lead users to unintentionally send sensitive documents off-platform and introduce untrusted generated content into their workspace without informed consent.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs users to upload arbitrary PDFs to an external service without a clear, prominent warning that document contents leave the local environment. For contracts, books, research papers, and regulations, this may include confidential, copyrighted, regulated, or otherwise sensitive material, making accidental disclosure a realistic risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document explicitly states that approval can apply file operations including rename, delete, mkdir, and write, but it does not warn that these actions may modify or destroy workspace contents. In an agent skill context, that omission is risky because an agent or user may treat approval as a harmless state transition rather than an operation that can perform destructive filesystem changes.

External Transmission

Medium

Category: Data Exfiltration
Content: **Inline alternative** (without the script): ```bash curl -X POST "https://api.shelv.dev/v1/shelves" \ -H "Authorization: Bearer $SHELV_API_KEY" \ -F "file=@document.pdf" \ -F "name=My Document"
Confidence: 96% confidence
Finding: https://api.shelv.dev/

External Transmission

Medium

Category: Data Exfiltration
Content: Get the file tree (flat JSON map of path → content): ```bash curl -s "https://api.shelv.dev/v1/shelves/$SHELF_ID/tree" \ -H "Authorization: Bearer $SHELV_API_KEY" | jq '.files | keys[]' ```
Confidence: 87% confidence
Finding: https://api.shelv.dev/

External Transmission

Medium

Category: Data Exfiltration
Content: Read a single file by path (useful for targeted lookups without downloading the full archive): ```bash curl -s "https://api.shelv.dev/v1/shelves/$SHELF_ID/files/README.md" \ -H "Authorization: Bearer $SHELV_API_KEY" ```
Confidence: 85% confidence
Finding: https://api.shelv.dev/

External Transmission

Medium

Category: Data Exfiltration
Content: ``` ```bash curl -s "https://api.shelv.dev/v1/shelves/$SHELF_ID/files/clauses/force-majeure.md" \ -H "Authorization: Bearer $SHELV_API_KEY" ```
Confidence: 85% confidence
Finding: https://api.shelv.dev/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal