ClawHub

Amber Url To Markdown

Security checks across malware telemetry and agentic risk

Overview

This URL-to-Markdown skill is mostly coherent, but its optional auto-trigger hook can run shell commands from crafted chat URLs and it retains authenticated browser state for some sites.

Treat this as a Review item before installing. Do not enable the auto-fetch hook until the handler uses argument-based execution instead of shell exec, validates URLs, blocks shell metacharacters, and adds domain/private-network safeguards. Avoid storing Doubao cookies or pasting Cookie headers unless you understand the account-access risk and can delete the saved profile and output files afterward.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (59)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The changelog explicitly introduces authenticated fetching via Cookie/Token for paid or internal content, which materially expands the tool from public URL conversion into access to restricted resources. In an auto-triggering URL skill, this scope expansion is dangerous because it can encourage collection or transmission of sensitive session credentials and enable processing of content the tool was not clearly declared to access.

Description-Behavior Mismatch

Low
Confidence
79% confidence
Finding
The documented support for dynamic JavaScript rendering adds browser-like remote content execution behavior beyond a simple URL-to-Markdown fetcher. That increases attack surface because rendering engines may load additional remote resources, execute untrusted page scripts, and expose the host environment to privacy and integrity risks not reflected in the stated scope.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Authenticated retrieval of paid or internal documents is not justified by the stated public URL conversion purpose and can facilitate access to sensitive enterprise or subscription content. In practice, this can lead to overcollection of confidential data and misuse of bearer tokens or session cookies within an automation context.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The documentation explicitly advertises '反检测配置' together with persistent authenticated browser state for scraping content behind login. In the context of a URL-to-Markdown skill, this goes beyond ordinary content conversion and encourages evasion-oriented collection of protected content, increasing the risk of unauthorized access, terms-of-service violations, and abuse of stored authenticated sessions.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The document describes using a persistent browser context, spoofed browser headers, and anti-detection techniques specifically to bypass normal access controls and retain authenticated session state. In a URL-to-Markdown skill, this exceeds ordinary content conversion and creates a meaningful risk of unauthorized scraping, reuse of stored credentials/cookies, and access to content beyond what the current user explicitly intended to expose.

Context-Inappropriate Capability

Low
Confidence
87% confidence
Finding
The workflow writes scraped content, images, and browser user data to fixed filesystem paths under root-owned directories, creating persistent local storage of potentially sensitive content and authentication artifacts. Fixed-path persistence increases the chance of unintended retention, cross-user data exposure, accidental reuse, and poor lifecycle control, especially in an automatically triggered skill.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documentation explicitly advertises "anti_detection" and "use_persistent_context" as configurable features, which materially expand the capability from simple URL-to-Markdown conversion into behavior associated with stealth scraping and session reuse. In an auto-triggering skill that fetches arbitrary user-supplied URLs, these features increase the risk of bypassing site defenses, carrying over authenticated state, and collecting more data than users or site operators would reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code deliberately uses anti-detection techniques such as randomized delays, scrolling, and mouse movement to mimic human behavior and evade bot detection. For a content conversion utility, this exceeds legitimate rendering needs and increases the likelihood of bypassing site protections or terms-based access controls, especially when applied automatically to arbitrary user-supplied URLs.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill creates a persistent Playwright browser context and stores Doubao login state and cookies on disk, enabling future authenticated scraping without renewed user consent. In a skill that auto-triggers on URLs, persistent session retention materially increases privacy and account-misuse risk if the host environment is shared, compromised, or the stored profile is reused beyond the user's expectations.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill exposes an authenticated fetch path that accepts caller-supplied cookies or bearer tokens and sends them to whatever URL is provided. In a URL-to-Markdown tool, this extends capability beyond simple public-page retrieval and can enable secret-bearing requests to arbitrary destinations, creating credential leakage and cross-origin misuse risk if higher-level callers do not strictly constrain targets.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The dynamic rendering helper introduces browser-like JavaScript execution through requests-html, which materially broadens the attack surface compared to a plain HTTP fetcher. Rendering untrusted pages can trigger active content, extra network access, and resource abuse, making the skill more dangerous than its stated URL-to-Markdown purpose suggests.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The changelog describes an automatically triggered hook that activates on broad user input patterns such as any pure URL message or URL plus generic intent keywords, but it does not document meaningful exclusion conditions, consent requirements, or trust boundaries. In a skill that fetches remote content automatically, broad activation increases the chance of unintended network access, processing of attacker-supplied URLs, and surprise execution behavior, which makes the capability materially more dangerous in context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The changelog describes Cookie/Token-based requests without any handling guidance for secrets, which is a concrete security gap because these values are highly sensitive and commonly leaked through logs, config files, error traces, or reuse across domains. Since the skill can auto-fetch URLs, poor credential hygiene could expose active sessions or API access to unintended targets.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Dynamic page fetching via requests_html render() implies browser-style processing of untrusted remote content, but the documentation omits any warning about network side effects, script execution, or sandboxing expectations. This is dangerous because rendered pages can trigger additional requests, tracking, or potentially exploit weaknesses in the rendering stack, especially in an automated skill environment.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The changelog includes an irreversible deletion command for a backup directory but does not clearly warn about data loss or advise users to verify the target path before execution. In documentation for an auto-triggering URL-processing skill, copy-paste shell commands are likely to be executed directly, so an unsafe deletion example increases the risk of accidental destructive actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The guide instructs users to copy a full authenticated Cookie header from the browser and paste it into code, which creates a high risk of credential leakage through source files, logs, screenshots, backups, or accidental sharing. Because these cookies may grant direct account access, misuse or exposure could let an attacker impersonate the user and access protected content or account functionality.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill auto-fetches a provided Doubao URL through a browser session and saves the resulting content to disk, but the document does not clearly disclose these collection and retention behaviors to the user at the point of use. This creates a transparency and consent gap that can lead users to unknowingly trigger automated access, local storage of private content, and potential processing of authenticated data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document promotes a hook that automatically processes incoming messages containing URLs and writes fetched content to disk, but it does not present a clear, prominent consent/privacy warning before enablement. In a chat environment, automatic background processing of user messages can surprise users, capture sensitive links, and persist data locally without informed consent, increasing privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installation instructions tell users how to enable the hook and restart the gateway, but they do not clearly disclose that doing so enables continuous background monitoring of received messages and automatic file creation. This omission can lead operators to deploy message-triggered automation without understanding the privacy, compliance, and storage implications for all users of the system.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The example shows that running the skill saves a file, but the documentation does not warn users that local filesystem writes will occur. In an agent context, silent file creation can surprise users, overwrite data, or store sensitive fetched content on disk without informed consent.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The document advertises URL fetching and asynchronous batch requests without warning about external network access, privacy implications, or the possibility of contacting multiple remote hosts. In an agent skill with automatic URL-trigger behavior, this increases the risk of unintended outbound requests, metadata leakage, or bulk access to user-provided links.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide promotes an auto-trigger hook that fetches remote URLs and writes Markdown files automatically when messages contain links, but it does not prominently warn users about the resulting network access, content processing, and local file creation. In a messaging-triggered workflow, this can cause unexpected retrieval of untrusted content, privacy leakage, or disk consumption from merely sending or receiving a URL-shaped message.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The installation flow recommends enabling automatic triggering as a normal or recommended step, but provides no accompanying warning that incoming URLs will be fetched automatically and converted to files. That makes the skill more dangerous in practice because users may enable it without understanding that untrusted chat content can trigger network activity and persistent local artifacts.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The documented auto-trigger conditions are broad enough to activate on ordinary user messages containing a URL and generic phrases like 'parse this link' or 'download this article'. In an agent environment, this can cause unintended network access and content retrieval without clear, explicit consent, increasing the risk of prompt-triggered external requests and downstream disk writes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that articles and all images are automatically downloaded and saved under a local directory, but it does not prominently warn that this creates persistent files on disk. In a chat-agent context, implicit local writes can surprise users, consume storage, retain sensitive or copyrighted content, and combine dangerously with broad auto-triggering to create unwanted persistence from a simple message.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal