ClawHub

Markdown Mobile Export

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform Markdown-to-image export, but it can automatically install Python packages and a browser during normal use without a clear opt-in step.

Install only if you are comfortable with the skill changing the active Python environment and possibly downloading Playwright Chromium. Prefer running it in an isolated virtual environment or container, preinstall reviewed dependencies yourself, and avoid processing sensitive Markdown unless you control the output directory and delete retained .source.md and HTML files afterward.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def install_playwright_browser() -> None:
    subprocess.run(
        [sys.executable, "-m", "playwright", "install", "chromium"],
        check=True,
    )
Confidence
91% confidence
Finding
subprocess.run( [sys.executable, "-m", "playwright", "install", "chromium"], check=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
install_commands.append([uv_path, "pip", "install", "--python", sys.executable, package_name])

    for ensure_command in ensure_commands:
        subprocess.run(ensure_command, check=False)

    last_error: Exception | None = None
    for command in install_commands:
Confidence
87% confidence
Finding
subprocess.run(ensure_command, check=False)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
last_error: Exception | None = None
    for command in install_commands:
        try:
            subprocess.run(command, check=True)
            return
        except Exception as exc:  # noqa: BLE001
            last_error = exc
Confidence
90% confidence
Finding
subprocess.run(command, check=True)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script is designed to bootstrap missing libraries by installing Playwright and Pillow during execution, which is unrelated to the narrow expectation of converting local rendered HTML into an image. In skill context, this makes the capability more dangerous because users would reasonably expect file conversion, not environment mutation and network retrieval of packages/binaries.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Executing subprocesses to install or manage dependencies gives the skill the ability to alter the host environment beyond its core document-export purpose. In this context that is a meaningful overreach: the skill handles local content conversion, so hidden dependency management increases trust and supply-chain risks without clear necessity.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill description promises local Markdown-to-image conversion, but this script only produces HTML and includes logic to install packages at runtime. That mismatch is dangerous because users and orchestrators may grant the skill trust and permissions based on a narrower expected behavior, while the code silently expands scope to environment modification and network/package-manager activity.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script automatically invokes `ensurepip` and `pip`/`uv pip` to install packages during normal execution. For a Markdown export skill, this is unjustified and high risk because it modifies the host environment, may trigger network access and package retrieval, and can expose the system to dependency confusion, malicious packages, or unintended persistent changes.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The workflow states that pasted Markdown is normalized into a `.source.md` file and that HTML is retained beside the image, but the description does not warn users that pasted content will be written to disk and preserved. If users paste sensitive notes, credentials, or proprietary text, the skill may leave recoverable artifacts on the filesystem beyond the expected image output.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code installs a browser automatically if local browser launches fail, with no prompt or disclosure beyond internal logic. Silent acquisition and installation of a large executable dependency is risky because it performs networked system changes and may surprise users or violate constrained execution environments.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill performs automatic package installation and subprocess execution without any user-facing warning, consent, or opt-in. In an agent-skill context, that is risky because users expect document conversion, not hidden system changes; silent installs reduce transparency and can bypass policy expectations around network access and host modification.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal