ClawHub

Lakebook To Md

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Lakebook converter, but it needs review because crafted inputs can cause unsafe file writes and it performs automatic downloads and dependency installation.

Review before installing or running. Use it only on .lakebook files you trust, preferably in a disposable working directory or sandbox. Expect outbound requests to embedded image and attachment URLs, install dependencies yourself instead of relying on startup.py, and avoid running it somewhere an existing ./temp directory contains data you care about.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
req = os.path.join(
            os.path.dirname(os.path.abspath(__file__)), "requirements.txt"
        )
        subprocess.check_call([sys.executable, "-m", "pip", "install", "-r", req, "-q"])


def main():
Confidence
96% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "-r", req, "-q"])

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises file I/O, shell invocation, and network access behaviors but does not declare permissions or otherwise warn operators about those capabilities. In this context, the risk is real because the tool processes untrusted `.lakebook` content and can automatically write files and fetch remote resources, creating a transparency and policy-enforcement gap even if the stated purpose is legitimate.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code calls tarfile.extractall(extract_to) on an attacker-controlled .lakebook archive without validating member paths. A crafted tar can include absolute paths or '../' traversal entries and overwrite files outside the intended directory, which is a well-known archive extraction vulnerability. In this skill context, the function is specifically designed to unpack externally supplied export files, which makes the issue more dangerous because untrusted archives are a realistic input.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Installing dependencies from within the startup path is a risky behavior because it grants the tool package-management and code-execution capability every time imports fail. In the context of a file conversion skill, this behavior is not essential to core functionality and makes the tool more dangerous by turning normal execution into an implicit software installation step.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly advertises automatic downloading of images and attachments, but does not clearly warn users that running the tool will initiate outbound network requests and write downloaded content to local disk. In a skill/agent context, this can surprise users, trigger unintended data transfer, and increase exposure to SSRF-like fetches, malicious file content, or unsafe writes if source data contains attacker-controlled URLs or filenames.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that it will automatically download images and attachments, but it does not prominently disclose that this triggers outbound network requests to URLs embedded in the exported content. Because `.lakebook` data may contain attacker-controlled or sensitive signed URLs, automatic fetching can leak access patterns, hit malicious endpoints, or cause unintended requests to external services.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The downloader writes files derived from untrusted exported content to disk and fetches arbitrary remote URLs via requests.get(src) without URL validation, timeout control, size limits, or content-type restrictions. In a conversion skill, this increases risk of SSRF-like internal network access, unexpected external requests, and writing attacker-controlled files into the output tree, especially if a crafted .lakebook is processed automatically.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code performs automatic pip installation with no warning, prompt, or opt-in, so users may unknowingly trigger network access and package execution simply by running the converter. This undermines informed consent and increases the risk of unexpected code execution if the dependency source or requirements file is compromised.

Known Vulnerable Dependency: Requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
91% confidence
Finding
Requests

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal