ClawHub

Book Infographic

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it parses a user-provided PDF into local summary data and an editable infographic, with manageable privacy and third-party script cautions.

Install this if you are comfortable with selected PDFs being extracted into local output files. Avoid confidential PDFs unless you control where the JSON/HTML is written and delete outputs afterward. For sensitive use, prefer replacing the CDN ECharts script with a local pinned copy before opening generated HTML.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill instructs the agent to run a parser and produce output files such as `./extracted_content.json`, which is a file-write capability, but no corresponding permission is declared. Undeclared write access weakens sandboxing and user transparency because the skill can modify the workspace in ways the policy layer may not expect, even if the intended output is benign.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The template loads ECharts from a third-party CDN at runtime, which introduces a supply-chain and privacy risk: generated pages will make outbound requests and execute remote JavaScript outside the skill author's direct control. If the CDN resource is compromised, blocked, or altered, users opening the infographic could be exposed to malicious script execution or broken rendering.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal