ClawHub
Back to skill

Security audit

Kai Html Export

Security checks across malware telemetry and agentic risk

Overview

This HTML export and sharing skill has plausible functionality, but it can publish local files publicly, change Vercel protection settings, and process untrusted HTML in ways that deserve careful review.

Install only if you are comfortable with a tool that can upload local HTML and assets to public hosting and use your Vercel or Cloudflare credentials. Review files for secrets or private data before sharing, avoid untrusted HTML, and prefer manual or isolated deployments until the skill adds explicit confirmations for public publishing and protection-setting changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script can invoke external tooling via npx and may dynamically fetch and execute Wrangler and an additional workerd package from the npm ecosystem. That expands the trust boundary from local HTML export into arbitrary third-party package execution, which is risky in an agent skill because package resolution and execution occur on the user's machine with the user's privileges.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The code does more than deploy content: it calls the Vercel API to modify project settings by setting ssoProtection to null, which can weaken or remove access protections for an existing linked project. This broadens the skill from content export into account/project security reconfiguration, creating unintended public exposure risk for deployments and potentially other project assets.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Disabling deployment protection/public access is a high-risk capability because it can expose previously restricted content to anyone with the URL, or more broadly reduce organizational access controls on a linked Vercel project. In the context of an HTML export/share skill, this is more dangerous because users would reasonably expect file conversion or isolated publishing, not silent modification of project privacy settings.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The exporter accepts arbitrary image sources from the input HTML and will both fetch remote HTTP/HTTPS URLs and open local file:// paths directly. Because the tool processes untrusted HTML, this expands its behavior from document conversion into SSRF/local file read territory: an attacker can cause outbound network access or exfiltrate local files embedded as images into the generated PPTX.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script launches a full browser to render attacker-controlled HTML, and on Linux it does so with --no-sandbox and --disable-setuid-sandbox. Rendering untrusted content in a real browser is already high-risk; removing sandboxing weakens a key isolation boundary and increases the impact of any browser or renderer exploit triggered by malicious HTML/CSS/SVG content.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes a feature that publishes HTML to a live URL but does not clearly warn that the resulting content is publicly accessible. Users may unintentionally expose sensitive reports, presentations, embedded data, or internal assets if they assume sharing is limited or private, especially because the feature is presented as a convenience workflow.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly encourages publishing local HTML files or folders to public hosting providers and notes that relative assets may be copied automatically, but it does not clearly warn that this can expose sensitive content, embedded data, internal links, or adjacent assets. In a skill that processes arbitrary local HTML, users may unknowingly publish confidential reports or presentation materials to a public URL, making accidental data disclosure a realistic risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill supports publishing local HTML to a public share URL but does not clearly disclose that the uploaded HTML and copied relative assets may expose sensitive content, embedded tokens, internal links, or private data. Because the helper can package a file or folder and make it publicly reachable, insufficient privacy warning materially increases the risk of inadvertent data exposure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The deploy path publishes local HTML and referenced assets to Cloudflare Pages and returns a public URL, but the code itself provides no explicit confirmation or warning about uploading data to a third-party remote service. In the context of an agent skill, this can cause unintended disclosure of sensitive reports, embedded assets, or internal presentation content if triggered without sufficiently clear user consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script changes project privacy/protection without any user-facing prompt, warning, or confirmation, so users may unknowingly make deployments public. That violates least surprise and can lead to accidental disclosure of internal presentations, reports, or embedded assets when the skill is used for simple export or sharing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code issues outbound HTTP/HTTPS requests for image sources found in the HTML without user disclosure or consent. In the context of converting potentially untrusted HTML, this can leak network metadata, contact attacker-controlled servers, and be abused for SSRF-style probing or unexpected data egress.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script opens attacker-controlled local HTML in a headless browser with JavaScript enabled, which can execute embedded scripts and trigger network requests during export. In this skill's context, users are explicitly encouraged to export or publish arbitrary HTML, so untrusted input is expected and this behavior increases the chance of data exfiltration, SSRF-like internal network access from the host, or unintended outbound requests.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal