ClawHub

MiniMax PDF Pro

Security checks across malware telemetry and agentic risk

Overview

The skill’s PDF purpose is coherent, but it gives agents broad install and browser-rendering authority that users should review before use.

Install only if you are comfortable with it modifying your Node/Python environment and downloading browser/TeX dependencies. Prefer running it in an isolated workspace or container, preinstall and pin dependencies yourself, avoid sensitive or untrusted HTML unless network access is blocked, and do not use the curl-to-shell Tectonic step without independent verification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
[sys.executable, "-m", "pip", "install", "-q", "--break-system-packages", "pypdf"],
            [sys.executable, "-m", "pip", "install", "-q", "--user", "pypdf"],
        ]:
            result = subprocess.run(install_cmd, check=False, capture_output=True)
            if result.returncode == 0:
                break
Confidence
97% confidence
Finding
result = subprocess.run(install_cmd, check=False, capture_output=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to use shell commands, install packages, and perform network-dependent dependency setup, but it declares no permissions. This creates a governance and transparency gap: a caller or platform may assume the skill is non-executing while it can actually invoke shell, access environment state, and trigger package downloads. In an agent system, undeclared execution capability increases the risk of unexpected command execution and makes policy enforcement harder.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The documented purpose understates actual behavior by omitting translation-link preservation logic and broader office-document conversion via LibreOffice. This matters because those behaviors expand the attack surface: file conversion and HTML/link processing can invoke additional parsers, external resources, or risky document formats that users and policy engines may not expect. Hidden or underdocumented capabilities make it easier for a skill to be routed sensitive inputs without appropriate scrutiny.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly instructs users to download and execute a remote shell script via curl piped to sh. This is dangerous because it grants arbitrary code execution to whatever content is served from that URL at runtime, creating a supply-chain and remote code execution risk unrelated to ordinary document authoring.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The route depends on network access and automatic package/font retrieval during compilation, which expands the trust boundary beyond local PDF generation. While common in TeX tooling, this can enable unreviewed external content fetches, nondeterministic builds, privacy leakage, and increased exposure to supply-chain compromise.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The helper can invoke `npx playwright install chromium`, which performs package/download installation as a side effect of a PDF workflow. That expands the skill's privileges from rendering PDFs to modifying the host environment and fetching executable code, creating supply-chain and unauthorized system-change risk if triggered in an automated agent context.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code enumerates `/home`, `/Users`, `/root`, and named users' cache directories to locate browser binaries, including other users' homes. In multi-user or sandboxed environments this is overbroad for a PDF helper, can expose information about other accounts and installed software, and may bypass expected isolation by reusing binaries from locations outside the current user's scope.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
A PDF/LaTeX compilation helper should not silently fetch and install Python packages as part of routine execution. In an agent skill context, this behavior is more dangerous because the tool may run unattended, unexpectedly reaching out to package indexes and altering the host environment without informed user consent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
If the local Paged.js file is missing, the script downloads and executes JavaScript from a public CDN inside the browser context. In a PDF-conversion tool that processes potentially untrusted documents, this creates a supply-chain and integrity risk: a compromised CDN response, dependency takeover, or unexpected upstream change could execute arbitrary script during conversion and affect local files or produced output.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The converter loads attacker-controlled HTML with Playwright and waits for network activity to settle, which allows embedded resources such as scripts, images, stylesheets, iframes, or fetch/XHR requests to make outbound network connections. In this skill context, users may supply arbitrary HTML, so this can enable SSRF-like behavior, internal network probing, metadata-service access, tracking, or unintended data exfiltration from the conversion environment.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The fix subcommand performs network-based package installation with npm and pip, including global npm installs and Python user-site installs. In an agent skill context, this is security-relevant because invoking the skill can modify the execution environment, pull unpinned third-party code, and expand the attack surface beyond PDF generation itself, especially if an attacker can influence when fix is run or the package source resolution.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The script states it 'does NOT auto-install anything', but it invokes `npx playwright` in version-detection paths. `npx` may resolve and execute package code from the network when Playwright is not already installed, which breaks the script's non-install/non-execution guarantee and can lead to unintended code execution in a setup-check context.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The template hard-codes Chinese output via `lang="zh-CN"` and surrounding instructions in Chinese, which can steer the agent to produce content in Chinese regardless of the user's requested language. In an agent skill, this is a policy and instruction-integrity issue because it can override user intent and degrade reliability, especially for multilingual or compliance-sensitive documents.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill presents execution of a remote install script as a normal setup step without warning about authenticity verification, integrity checks, or the risks of piping downloaded content into a shell. This materially increases the chance that an agent or user will perform unsafe code execution without scrutiny.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script auto-installs Chromium through a subprocess without any confirmation in this file, so a normal conversion path may unexpectedly download and install software. In an agent skill, silent environment mutation is risky because it can consume network/system resources, violate policy expectations, and introduce unreviewed binaries into the runtime.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script installs `pypdf` without any upfront disclosure in the command interface or module documentation, so operators may unknowingly trigger package installation and environment changes. This lack of transparency is risky in controlled or production environments where outbound network access, package provenance, and system state changes must be explicitly approved.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal