ClawHub

Pdf

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local PDF-processing skill that reads and writes user-chosen document files without evidence of hidden access, exfiltration, persistence, or destructive behavior.

Use this skill on PDFs you are allowed to process, choose output paths deliberately, and review generated or filled PDFs before signing, submitting, or sharing them. Treat decrypted PDFs, extracted text, images, and JSON field files as sensitive if the source document is sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill demonstrates file read and file write operations throughout the guide but declares no permissions, which weakens transparency and permission enforcement for an agent that may access local documents and create derived files. In an agent setting, undeclared filesystem capabilities can lead to processing or overwriting sensitive PDFs without clear user awareness or policy controls.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The guide includes a decryption command for password-protected PDFs and multiple examples that write new output files, but it does not warn about handling confidential content, legal/authorization requirements, or the risk of leaving decrypted artifacts on disk. In an automated agent workflow, this can cause sensitive document exposure by silently producing plaintext copies or modified derivatives in accessible locations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal