ClawHub

Convert Document To Markdown

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned, but it runs an unverified Docker image on local document folders while passing possible API secrets into the container.

Install only if you trust the Aliyun Docker image and the configured Vision API provider. For sensitive files, place only the target document in a temporary folder before conversion, keep .env limited to VL settings, use a scoped API key, and prefer ocr or none mode when external processing is not approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The wrapper explicitly forwards network/API configuration such as VL_BASE_URL, VL_API_KEY, and model settings into the container, which means the containerized tool can reach external services and use sensitive credentials. In the context of a skill described as converting local files through a Dockerized file-only CLI, this materially expands the trust boundary and can enable document contents or secrets to be transmitted off-host.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill explicitly forwards `VL_API_KEY` and other `VL_*` variables from OpenClaw config or a local `.env` into a Docker container, and also supports Vision API modes that may send document/image contents to an external service. Without a clear warning about secret handling and external data transmission, users may unknowingly expose sensitive credentials and document contents to the container runtime, image, logs, or third-party API endpoints.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Passing API-related environment variables into the container without clear disclosure is a real security issue because users may believe they are invoking a local file converter while actually granting the container access to credentials and outbound service configuration. That mismatch increases the risk of secret misuse and silent exfiltration of file contents or metadata.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script automatically pulls and runs a remote image if it is absent locally, which executes code obtained from an external registry without integrity verification or prominent user warning. In a security-sensitive wrapper, this creates a software supply-chain risk: a compromised registry, retagged image, or unexpected image change could lead to arbitrary code execution inside the container with access to mounted files and forwarded secrets.

External Transmission

Medium
Category
Data Exfiltration
Content
"enabled": true,
        "apiKey": "sk-xxx",
        "env": {
          "VL_BASE_URL": "https://api.openai.com/v1",
          "VL_MODEL": "gpt-4.1-mini"
        }
      }
Confidence
90% confidence
Finding
https://api.openai.com/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal