ClawHub

PDF Text Replace

Security checks across malware telemetry and agentic risk

Overview

This PDF editing skill appears purpose-built, but it needs review because encrypted PDFs can be written back to disk as decrypted temporary files without clear cleanup or disclosure.

Install only if you are comfortable with a local tool that can alter PDF contents and handle PDF passwords. Use it only on documents you are authorized to modify, keep originals, review outputs before sharing, and avoid encrypted or highly sensitive PDFs unless you can run it in an isolated workspace and verify temporary decrypted files are removed afterward.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if password:
                cmd += [f"--password={password}"]
            cmd += [path, tmp_path]
            result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
            if result.returncode == 0:
                reader = PdfReader(tmp_path)
                print(f"[open_pdf_smart] Decrypted with qpdf subprocess -> temp file '{tmp_path}'")
Confidence
86% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill advertises very broad natural-language triggers for common PDF editing requests, which can cause the agent to select it in routine conversations without strong confirmation or scope checks. In this context, that is risky because the skill performs destructive content modification on user documents, including sensitive contracts, certificates, and scanned records.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation emphasizes powerful modification features, including encrypted-PDF handling and OCR-based editing, but does not clearly warn that the tool alters document contents and may affect document authenticity, legal meaning, or sensitive data. In a PDF-editing skill, especially one aimed at certificates and contracts, the absence of an upfront modification warning materially increases the risk of unsafe or unintended use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When an encrypted PDF is processed, the code writes a decrypted working copy to a fixed plaintext path in /tmp (/tmp/pdf_decrypted_work.pdf). Temporary files in shared temp directories can be exposed to other local users, left behind after crashes, or accessed through symlink/race-condition scenarios, which defeats the confidentiality guarantees of the original encrypted document.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When the `qpdf` fallback succeeds, the code decrypts the PDF into a temporary file on disk and returns a reader while merely printing that cleanup is the caller's responsibility. This can leave decrypted sensitive documents resident on disk longer than intended, expose them to other local users or backup/forensic capture, and create confidentiality violations that are especially serious given the skill explicitly handles encrypted PDFs.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal