ClawHub

Pdf Vision

Security checks across malware telemetry and agentic risk

Overview

The PDF extraction behavior is mostly expected, but the package also appears to include an unrelated GitHub repository script that looks for tokens and the document-upload/storage behavior is under-disclosed.

Review before installing. Remove or ignore the GitHub repository script unless you explicitly need it, and do not let it access broad GitHub tokens. Treat any processed PDF as uploaded to third-party model providers, avoid confidential documents unless approved, and check whether temporary payload/response files are disabled or cleaned up.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation indicates capabilities to read configuration, invoke shell tools, write temporary files, and send data over the network, but it does not declare permissions accordingly. This creates a transparency and consent problem: users and enforcement systems may underestimate the skill's access, especially since it handles potentially sensitive PDF contents and local configuration data.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script's functionality is unrelated to the stated PDF vision/OCR purpose of the skill and performs account-level GitHub operations instead. In a skill package, unexpected repository-creation behavior materially increases supply-chain and trust risk because users may run it assuming it supports document extraction when it actually modifies their GitHub account.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code accesses GitHub credentials and uses them to perform remote account actions that are unrelated to PDF extraction. That mismatch makes the skill more dangerous in context because users would not reasonably expect an OCR skill to inspect secrets and create repositories on their behalf.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The docstring states the script uses 'your token' but omits that it will also search ~/.bashrc for credentials. This discrepancy hides sensitive behavior from reviewers and users, undermining informed consent and making secret harvesting from local configuration appear more acceptable than it is.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to extract PDF content by converting pages to images and sending them to third-party vision APIs, but it does not warn that potentially sensitive document contents will leave the local environment. In a document-processing skill, this omission is materially important because users may process invoices, schedules, research papers, or other confidential records without realizing they are being transmitted to external providers.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends document images and prompts to third-party API providers, but the description does not prominently warn users that document contents leave the local environment. For scanned PDFs, this can expose sensitive personal, financial, legal, or internal business information to external services without informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill writes converted page images plus API payload and response JSON files to /tmp, which may expose document contents, prompts, extracted text, and possibly metadata or tokens to other local users or later processes if permissions and cleanup are not carefully handled. Because these artifacts are debugging-oriented and contain sensitive material, undocumented temporary storage materially increases leakage risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Reading credentials from ~/.bashrc without explicit warning or consent is unsafe because it silently harvests secrets from a broader source than the user may intend. In the context of an OCR skill, this behavior is especially suspicious and can lead to unauthorized use of a user's GitHub account if the script is run casually.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script converts PDF pages to images, embeds the full page contents in a request payload, and sends them to an external model API without any explicit consent gate, disclosure, redaction option, or destination allowlist. In the context of scanned-document extraction, this can expose sensitive documents such as IDs, contracts, financial records, or medical data to third-party services unexpectedly.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill sends rendered PDF page images and prompts to third-party vision APIs, which may expose sensitive document contents to external providers. Because the tool is explicitly for processing scanned PDFs, users may supply confidential documents, and the absence of a clear privacy/data-sharing warning materially increases the chance of unintended data disclosure.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code writes full API payloads and responses, including base64-encoded document images and extracted document text, to predictable files in `/tmp` or a user-supplied temp directory. On multi-user systems or misconfigured environments, these artifacts can be recovered by other users or processes, causing persistent leakage of sensitive document data beyond the API transmission itself.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal