ClawHub

Visual Explainer for OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This skill is a useful visual HTML generator, but it also includes public publishing and document-editing workflows that are higher impact than the headline description suggests.

Install only if you are comfortable with a visual-generation skill that can read project context, write persistent HTML files, open them in a browser, optionally call external image-generation tools, edit documents during fact-checking, and publish selected HTML publicly through Vercel. Avoid using the share workflow for confidential code, plans, architecture, or customer data, and review fact-check edits before relying on them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (43)

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill advertises local self-contained HTML generation but also includes a sharing workflow that deploys generated content to a public Vercel URL. That creates an unexpected data egress path: sensitive code, plans, diffs, or architecture details could be published externally under the guise of a visualization task, which is materially riskier than the declared behavior suggests.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill documentation claims self-contained local HTML output, yet later adds a public deployment path via Vercel. This inconsistency can mislead users and higher-level agents into approving or invoking the skill in contexts where external publication is not acceptable.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Publishing generated pages to a live URL is outside the core need of producing local visual explanations and introduces unnecessary external communication. If the page contains source code, review notes, architecture, or internal plans, the share flow can disclose sensitive information to third parties.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The prompt explicitly instructs the agent to mine conversation history and local memory/progress files to reconstruct rationale, even though that data is not necessary to generate a code diff visualization. This creates an unnecessary data access path that can expose prior user content, workspace notes, or unrelated sensitive project information in the generated review or in the model context.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The optional `surf gemini --generate-image` step invokes an external AI/image-generation tool unrelated to the core need of reviewing a diff. This can transmit repository-derived prompts or contextual details to a third-party model/service, increasing data exfiltration risk and expanding the trust boundary without clear necessity or consent.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The prompt substantially repurposes a visual-explainer skill into a codebase fact-checker, git-history auditor, and document editor. That scope expansion is dangerous because it grants broad read/write behavior over repository files without being justified by the skill’s stated purpose, increasing the chance of unauthorized modifications and misuse under a misleading skill label.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The prompt directs the agent to inspect source files, git history, diffs, and refs, which exceeds what a visual explanation renderer should need. In context, this broad auditing capability increases data exposure and can be abused to mine repository history or unrelated code content under the guise of generating visuals.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The prompt explicitly instructs direct in-place edits to arbitrary target documents, including rewriting incorrect sections while preserving structure. In a skill framed as a visual explainer, this creates a hidden file-modification pathway that can alter user content unexpectedly, cause integrity loss, and overwrite documents based on imperfect automated verification.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The prompt explicitly instructs the agent to invoke an external CLI (`surf gemini --generate-image`) if available. Calling external tools introduces side effects, expands the trust boundary, and may transmit prompt or workspace-derived content to another program or remote service without clear user consent, which exceeds simple HTML generation.

Context-Inappropriate Capability

Low
Confidence
95% confidence
Finding
The instruction to automatically open the generated result in a browser is a side effect beyond producing an HTML artifact. Even if low risk, launching applications without explicit user intent can surprise users, trigger unintended network/resource use, and weaken the principle of least astonishment for a content-generation skill.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The prompt expands the skill from generating self-contained HTML into optionally invoking an external AI image-generation CLI. That introduces additional capabilities, dependencies, and likely data handling paths not covered by the stated skill scope, which can cause user content to be sent to another tool or service without clear necessity or consent.

Description-Behavior Mismatch

Low
Confidence
80% confidence
Finding
The prompt directs the agent not only to generate HTML but also to open the result in a browser, which is an extra side effect beyond the manifest's stated purpose. While lower severity, this broadens the skill's operational scope and can surprise users by causing an unsolicited local action.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The prompt explicitly instructs the agent to write generated output to a fixed path under the user's home directory and open it in a browser. That extends the skill from passive content generation into side-effectful local actions, which can create persistent artifacts and launch applications without explicit user confirmation.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The optional `surf gemini --generate-image` step invokes an external CLI that may send plan or codebase-derived context to a third-party service. Because the prompt suggests doing this opportunistically when available, it introduces undisclosed data egress beyond the skill's stated purpose of producing self-contained HTML explanations.

Context-Inappropriate Capability

Low
Confidence
94% confidence
Finding
Instructing the agent to automatically open the generated HTML in a browser causes a local side effect beyond content generation. Launching applications can unexpectedly execute active HTML/JS, trigger network access in the browser, or disrupt the user's environment without explicit consent, making this an unsafe automation behavior.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The prompt expands the skill from local HTML generation into public internet deployment via Vercel, which is a materially different and higher-risk capability. Because it instructs the agent to publish files publicly without strong scope limits, consent gates, or content sensitivity checks, it can expose confidential diagrams, code summaries, or internal architecture to anyone with the URL.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Adding external public hosting is not necessary for the stated purpose of generating visual explainers and significantly broadens the trust boundary from local rendering to third-party publication. In practice, this creates an exfiltration path where generated artifacts containing proprietary or sensitive information can be uploaded outside the local environment.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This guidance instructs the agent to run shell commands (`which surf`, `surf ...`, `base64`, `rm`) and handle temporary files as part of slide generation, even though the skill is described as producing self-contained HTML explainers. Expanding a presentation skill into command execution increases the attack surface and can normalize unsafe tool use, especially if prompts or file paths become influenced by untrusted input.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The file directs the agent to proactively check for and use an external image-generation tool for qualifying decks, which exceeds the minimal scope of generating HTML explanations. Even without explicit shell snippets at this line, the instruction encourages unnecessary tool invocation and increases exposure to prompt-influenced external actions.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This script adds a public-sharing/deployment capability to a skill whose stated purpose is generating self-contained visual explanations, materially expanding the trust boundary from local rendering to publishing content on the public internet. If the generated HTML contains proprietary code diffs, architecture details, secrets, or sensitive internal data, invoking this helper can expose that information via a publicly accessible Vercel URL.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The script searches for and invokes an external deployment helper, then publishes user-provided HTML through that helper, which is functionality not justified by the core skill description of generating visual explanations. This creates an unexpected exfiltration path: content intended for local viewing can be sent to a third-party hosting service, increasing the risk of unauthorized disclosure and reducing user control over data handling.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The template is advertised as producing self-contained visual explainers, but it preconnects to Google Fonts and later imports Mermaid/ELK from jsDelivr. That creates unexpected outbound network access, privacy leakage, runtime dependency on third parties, and a supply-chain risk if CDN content changes or is compromised.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This is a real security/design issue because the skill metadata promises self-contained HTML, yet the file depends on remote fonts and later remote script modules. In an agent setting, that mismatch can cause operators to trust generated artifacts as offline-safe when they actually beacon to third parties and inherit external code-execution risk in the browser.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The inline comments describe Mermaid and ELK as imported assets, but the actual implementation fetches them from remote CDNs at runtime. That is dangerous because it obscures the trust boundary and can mislead reviewers into thinking the diagram renderer is bundled and deterministic when it is actually externally supplied code.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The template is advertised as self-contained but fetches fonts from Google at runtime, creating an external dependency that can leak viewer metadata, fail in offline/restricted environments, and undermine reproducibility. In an agent skill that generates deliverables for users, this mismatch can cause unexpected network access and policy violations even if the resources themselves are not overtly malicious.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal