ClawHub

Baoyu Url To Markdown

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it can automatically send the requested URL to a hosted third-party fallback and can persist captured private page content and downloaded media, so users should review it before installing.

Install only if you are comfortable with a webpage capture tool that can save full rendered page HTML locally. Avoid using it on private, internal, signed-token, or highly sensitive URLs unless you disable or control the hosted fallback behavior. Leave media downloads on ask/never for untrusted pages, and periodically review the output folder and dedicated Chrome profile for sensitive saved content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code enumerates default Chrome user-data directories, reads DevToolsActivePort files, inspects running processes, and attaches to existing Chrome remote-debugging sessions. That gives the skill visibility into and control over a user's live browser context, including authenticated tabs and profile state, which exceeds a simple URL-to-markdown capture need and can expose sensitive data from logged-in sessions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The hosted fallback sends the user-supplied URL to `https://defuddle.md/<url>` without an explicit warning or consent step. If the URL contains sensitive paths, private hosts, signed tokens, or authenticated resources, this transmits potentially sensitive information to a third party outside the local execution environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill automatically saves a rendered HTML snapshot of the page, including in login-required flows, but does not prominently warn that sensitive page content may be stored locally. This can capture session-specific data, personal information, internal dashboards, or paywalled content into a persistent artifact that may later be exposed or mishandled.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code automatically fetches every remote media URL found in markdown and writes the response bytes to local disk without any confirmation, allowlist, size check, or scheme/host restriction. In this skill's context, the markdown is derived from arbitrary user-supplied webpages, so embedded image/video URLs can trigger untrusted outbound requests and local storage of attacker-controlled content, which increases SSRF/privacy exposure and can unexpectedly persist unsafe files.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The functions resolve and scan shared Chrome profile directories and attempt to reuse them without any user-facing notice or consent mechanism in this code path. In the context of a tool that may operate on pages requiring login, silent reuse of real browser profiles can grant access to cookies, authenticated content, and other sensitive browsing state.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal