ClawHub

Markdown2pdf

Security checks across malware telemetry and agentic risk

Overview

The converter itself is straightforward, but the package includes prominent sample investment reports with specific trading instructions that conflict with their own disclaimers.

Install only if you need a local Markdown converter and are comfortable reviewing the sample financial reports as non-authoritative examples. Do not rely on the bundled investment analysis for trading decisions, and consider pinning dependencies or using an isolated environment before processing untrusted documents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document states that it is not investment advice, but elsewhere gives concrete recommendations including position sizing, buy/add/sell triggers, target prices, and stop-loss instructions. This mismatch can mislead users into treating the report as advisory content while the disclaimer downplays responsibility, increasing the chance of harmful financial decisions based on unqualified or fabricated analysis.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The file states that it 'does not constitute investment advice' while elsewhere providing concrete buy ranges, stop-loss levels, target prices, position sizing, and step-by-step trading actions. This contradiction can mislead users into treating the content as actionable financial advice while the disclaimer attempts to reduce accountability, increasing legal, compliance, and user-harm risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The report presents an upfront '积极推荐' rating and recommends 40-60% portfolio allocation before providing a strong, prominent warning about the risks of relying on the guidance. Because the document is framed as professional analysis and includes detailed trading steps later, users may act on it as actionable financial advice without adequate early caution, potentially causing material financial loss.

Unpinned Dependencies

Low
Category
Supply Chain
Content
markdown>=3.5.0
pdfkit>=1.0.0
imgkit>=1.2.3
wkhtmltopdf>=0.2.0
Confidence
95% confidence
Finding
markdown>=3.5.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
markdown>=3.5.0
pdfkit>=1.0.0
imgkit>=1.2.3
wkhtmltopdf>=0.2.0
Confidence
92% confidence
Finding
pdfkit>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
markdown>=3.5.0
pdfkit>=1.0.0
imgkit>=1.2.3
wkhtmltopdf>=0.2.0
Confidence
92% confidence
Finding
imgkit>=1.2.3

Unpinned Dependencies

Low
Category
Supply Chain
Content
markdown>=3.5.0
pdfkit>=1.0.0
imgkit>=1.2.3
wkhtmltopdf>=0.2.0
Confidence
90% confidence
Finding
wkhtmltopdf>=0.2.0

Known Vulnerable Dependency: markdown — 2 advisory(ies): CVE-2025-69534 (Python-Markdown has an Uncaught Exception); CVE-2025-69534 (Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like se)

High
Category
Supply Chain
Confidence
97% confidence
Finding
markdown

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal