ClawHub

Prompt to Drawio

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it needs review because it can send attached documents, URLs, diagram XML, and rendered diagram images to an external model provider while also auto-loading nearby .env files.

Install only if you are comfortable with this skill sending prompts, selected files, URL-derived text, diagram XML, and validation images to your configured model provider. Prefer --no-dotenv or an explicit minimal --dotenv-file, avoid confidential diagrams unless the provider is approved, and use --no-docker-fallback if you do not want Docker used during export or validation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises and documents capabilities to read local files, write output files, access environment variables, invoke shell commands, and fetch URLs, but it does not declare any permissions boundary or constraints. In an agent environment, this increases the chance of overbroad execution and makes sensitive file access, secret exposure from env vars, or unintended network retrieval harder to govern and audit.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill automatically discovers and loads a project .env file from the current directory or any parent directory, importing arbitrary secrets into process environment without a strong need tied to diagram generation. Because the tool also sends prompts, file contents, URLs, existing diagram XML, and images to remote model endpoints, this broad credential loading materially increases the blast radius of prompt injection, accidental disclosure, and misuse of unrelated secrets.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
The skill executes local helper programs for PDF parsing and image export and can invoke Docker, which expands its capability well beyond pure prompt-to-diagram generation. In a hostile workspace, invoking local binaries and mounting directories into a container increases exposure to unsafe local tools, untrusted document parsing behavior, and unintended filesystem access patterns.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly promotes ingesting files, URLs, images, PDFs, and prompts and notes network access to an external model-provider endpoint, but it does not clearly warn users that supplied content may be transmitted off-host to third-party services. In an agent-skill context, this omission is security-relevant because users may assume local-only processing and unintentionally disclose sensitive diagrams, documents, credentials, or internal URLs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly encourages sending prompts plus file, image, PDF, and URL context to an external OpenAI-compatible model API, but does not warn users that the supplied content may be transmitted off-host to third-party services. In an agent/CLI context, users may provide architecture diagrams, internal PDFs, screenshots, or URLs containing sensitive business or security information, creating an avoidable confidentiality risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Generation sends the composed prompt plus attached file text, URL-derived text, and image data URLs directly to the model API, but the code provides no explicit disclosure at the transmission point. This is dangerous because users may attach sensitive local documents or images expecting local processing, while the skill silently forwards that content to an external provider.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The edit workflow includes the full existing diagram XML and any attached context in the request sent to the model API. Existing diagrams can contain sensitive architecture details, internal names, network topology, or embedded notes, so transmitting the full XML without a clear disclosure creates a real confidentiality risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Validation converts diagram content into an image and uploads it to the model API for visual review, again without an explicit transmission warning. Diagram images often expose sensitive business logic, system architecture, credentials-in-diagrams, or internal labels, making silent external upload a meaningful privacy and security issue.

Missing User Warnings

Low
Confidence
90% confidence
Finding
Automatic .env loading occurs without a strong user-facing warning, which can surprise users and lead to accidental credential exposure within the process. While this finding overlaps with the broader credential-loading issue, the lack of disclosure independently increases the likelihood of unsafe use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal