ClawHub

Report Creator

Security checks across malware telemetry and agentic risk

Overview

This is a real report-generation skill, but generated reports include under-disclosed editing, export, and remote-script behavior that users should review before installing.

Review this skill carefully before installing. It is not malicious based on the artifacts reviewed, but generated reports may execute JavaScript from public CDNs, include hidden edit/save behavior, and provide local export controls. For confidential reports, prefer bundled/offline output, inspect generated HTML before sharing, and do not rely on the Telegram workflow unless a separate trusted integration sends the report with explicit approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (47)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs reading and writing files and invoking shell commands, but it does not declare permissions. That creates a trust and policy gap: reviewers and runtime controls may underestimate what the skill can do, while users are not adequately informed about filesystem and subprocess access. In this context, the risk is increased because the skill processes user-supplied files and can invoke Python scripts during generation/export flows.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The declared description presents a report-generation skill, but the behavior includes broader validation, test orchestration, subprocess pipelines, context extraction, and cleanup tasks. This mismatch can hide materially different capabilities from users and policy engines, especially release verification and pytest/subprocess execution, which expand operational scope beyond simple document generation. In a skill that already reads/writes files and invokes scripts, under-disclosed behavior makes misuse and overreach more dangerous.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The README and skill metadata define a narrower scope than the documented behavior, yet the file also advertises built-in PNG export and downstream screenshot/export flows. This scope mismatch is security-relevant because users and orchestrating agents may grant the skill permissions or trust assumptions appropriate for report generation, while the skill documentation encourages additional data transformation and export behavior that can move content outside the expected boundary.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The Telegram workflow extends the skill from local report generation into outbound delivery to a third-party channel, which materially changes the risk profile. In a skill intended for creating reports, examples that normalize automatic sending of generated content can cause sensitive internal notes, decisions, or KPI summaries to be exfiltrated without sufficient boundary checks, especially when driven by natural-language prompts.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The example report contains a built-in edit mode plus a Ctrl/Cmd+S handler that serializes the live DOM and downloads a modified HTML file. In a report-generation skill, this goes beyond passive preview functionality and creates a client-side document editor/persistence mechanism that can preserve injected or unsafe markup if untrusted content is ever rendered into the template.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The file loads executable JavaScript from a third-party CDN (Chart.js) even though it is presented as a local example report artifact. This introduces supply-chain and integrity risk: opening the local HTML implicitly trusts remote code that could change, be compromised, or be blocked, altering behavior or exposing users to malicious script execution.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The demo HTML contains a hidden edit mode plus Ctrl/Cmd+S export that enables in-browser modification and saving of the rendered report. In a report-generation skill, this adds client-side document editing and exfiltration-like file creation behavior outside the stated scope, which could be abused to alter report contents, mislead users about provenance, or preserve injected/unsafe HTML if untrusted content ever becomes editable.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The template contains an in-browser edit mode plus a Ctrl/Cmd+S local export path that is outside the stated scope of report creation/rendering examples. This adds unnecessary active functionality to a generated HTML artifact, increasing attack surface and creating a path for unreviewed user-modified content to be saved and redistributed as trusted output.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The HTML loads executable JavaScript from a third-party CDN at runtime, creating a supply-chain and integrity risk for any environment that opens the generated report. If the CDN asset is compromised, swapped, blocked, or version-drifted, every rendered report can execute unexpected code in the viewer's browser.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The HTML includes hidden UI elements for an edit workflow (`edit-hotzone` and `edit-toggle`) even though this artifact is presented as a report/demo output rather than an editor. Embedding latent editing controls expands the page's capability surface and can enable unauthorized or misleading content changes when the file is opened locally or shared, especially because the controls are intentionally unobtrusive.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This script enables in-browser editing of report content by toggling `contenteditable` across headings and text elements, which is beyond the stated purpose of generating/reviewing reports. That capability makes the delivered HTML an active editor rather than a static report, increasing the risk of silent post-generation tampering, accidental modification, and trust confusion about whether the document reflects approved output.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The code intercepts Ctrl/Cmd+S and writes the current DOM to a downloadable HTML file, effectively implementing export/save of a finished HTML artifact. That directly conflicts with the skill metadata stating this skill does not handle export of finished HTML, and it becomes more dangerous because it can persist any in-browser edits into a distributable file, bypassing expected workflow boundaries and review controls.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The template exposes an undocumented in-browser edit mode via a hidden hotzone and toggle button, which adds capabilities beyond passive report rendering. Undocumented interactive behavior is dangerous in agent-generated artifacts because users or downstream systems may trust the file as a static report while it actually supports local content modification and persistence-related workflows.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script intercepts Ctrl/Cmd+S and saves the full current DOM as an HTML file, effectively creating an undocumented local export mechanism. In the context of a report-generation skill, this increases risk because edited or injected content can be persisted as a standalone HTML artifact, potentially misleading users about provenance and enabling unexpected redistribution of active content.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The Ctrl/Cmd+S handler serializes the entire DOM and triggers a local HTML download without any explicit user-facing permission prompt or feature scoping. In a report-generation context, this can preserve transient DOM state, embedded sensitive content, or user edits into a portable file unexpectedly, creating a data leakage risk and an undocumented export path.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The custom block design permits arbitrary HTML templates from frontmatter and then performs placeholder substitution into that HTML, effectively creating an unrestricted HTML injection primitive inside generated reports. In a report-generation skill that may ingest user notes, URLs, data, or plan files and render to HTML, this can lead to script injection, malicious event handlers, external resource loading, phishing UI, or unsafe embedded content if any untrusted input reaches either the template or substituted fields.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The template contains built-in PNG/JPEG export logic using html2canvas even though the skill metadata says this skill should not handle exporting finished HTML to PNG. This creates undeclared capability expansion and weakens separation-of-duties between skills, increasing the chance that a caller invokes file/image export through the wrong component and bypasses intended control boundaries.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The template loads highlight.js and Chart.js from third-party CDNs at runtime, and later dynamically loads html2canvas from a CDN as well. This introduces supply-chain and privacy risk because rendering a local report now depends on remote code execution in the browser, allowing dependency compromise, outage, or unexpected network access during report viewing/export.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The template embeds PNG/JPEG export actions directly in the report HTML even though the skill metadata explicitly says HTML-to-image export is out of scope and should be handled by a different skill. This capability expansion increases the attack surface and can let this skill perform output transformations and exfiltration-friendly downloads that users or orchestrators may not expect.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The in-browser edit mode turns generated reports into mutable documents and allows saving modified HTML locally, which exceeds a pure report-generation role. In a skill ecosystem, hidden editing capability can undermine auditability, let users alter generated evidence after creation, and create confusion about provenance and trust of the final report.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Dynamically loading html2canvas adds an undeclared third-party dependency and enables rasterized capture/export of the full rendered report, including potentially sensitive data. Because the skill description explicitly excludes finished HTML export to images, this hidden capability is scope-violating and can facilitate unexpected data extraction or bypass workflow controls that were supposed to route export through another skill.

Description-Behavior Mismatch

High
Confidence
90% confidence
Finding
This template implements full client-side HTML-to-image export, including dynamic loading of html2canvas from a third-party CDN and capture of the full rendered document. In the context of a skill that explicitly says finished HTML-to-PNG export belongs to another skill, this hidden capability expands functionality beyond declared scope and can cause sensitive report contents to be silently packaged into downloadable images, undermining policy separation and review boundaries.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The template pulls executable JavaScript and stylesheets from third-party CDNs at runtime, which creates a supply-chain and privacy risk. Any viewer opening the generated report will contact external domains, and compromised or substituted CDN content could execute arbitrary script in the report context.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The template dynamically fetches and executes html2canvas from a third-party CDN at runtime. Any CDN compromise, dependency hijack, or unexpected upstream change would execute arbitrary JavaScript in the page context, potentially exposing rendered report contents and enabling script-based tampering or data exfiltration. The report-creation context makes this more dangerous because the generated pages may contain business-sensitive data and are expected to be locally renderable.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The template loads Chart.js from a third-party CDN, introducing a supply-chain trust dependency for a report template that otherwise appears intended for local rendering. If the external script is modified or unavailable, it could alter report behavior, inject malicious code, or expose data present in the rendered document. This is somewhat mitigated by the common use of Chart.js, but the risk remains because execution occurs in the same DOM context as the report.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal