ClawHub

PrintAssist

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed document printing and editing assistant, but it can directly print, modify documents, and permanently remove PDF password protection without a built-in confirmation or containment step.

Install only if you are comfortable with an agent that can send files directly to configured printers and create modified document copies. Before using it on sensitive documents, set a rule that printing, PDF decryption, slide deletion, and document edits require an explicit preview or confirmation, and prefer saving transformed files as new copies rather than overwriting originals.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no permissions while explicitly using shell-based installation commands (`pip install -r requirements.txt`) and PowerShell setup instructions. This creates a transparency and trust problem: users or platforms may authorize the skill under the assumption that it has minimal capabilities, while it can invoke system-level package installation and setup actions on Windows.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a printing assistant, but the documented behaviors extend to broad document manipulation: editing Office files, merging/splitting/extracting PDFs, encrypting/decrypting PDFs, compressing documents, and rendering previews. This mismatch is dangerous because users may invoke or approve the skill expecting print-only behavior, while it can alter document contents, transform sensitive files, or remove protections from PDFs.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This module provides broad document-editing capabilities across Word, Excel, and PowerPoint, which materially exceed a skill described as print assistance. In an agent setting, this creates a dangerous privilege mismatch: a user or prompt injection can induce content modification, insertion, deletion, or rewriting of files when the expected trust boundary is only printing-related handling.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The docstring frames printing-related Office-to-PDF conversion as occurring elsewhere, while this file mainly implements unrelated editing actions. That mismatch can mislead reviewers, operators, or routing logic about the module’s real authority, increasing the chance that over-privileged functionality is approved or invoked without appropriate scrutiny.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The file exposes broad document-manipulation capabilities including decryption, watermarking, extraction, compression, preview rendering, and page imposition, which goes beyond a narrowly described print-assistance skill. This increases the attack surface and creates opportunities for unauthorized document handling or repurposing of the skill for data transformation tasks unrelated to printing.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill includes a decryption function that removes PDF password protection and writes the result as a plaintext PDF. In a print-assist context, this is unusually sensitive because it enables conversion of protected documents into unprotected copies, which can facilitate data exposure, policy bypass, or downstream exfiltration if invoked on confidential files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly states that printing occurs directly without confirmation once the instruction seems clear. This creates a real safety issue because an LLM may misinterpret user intent, select the wrong printer, page range, or copy count, causing unintended physical output, wasted materials, or disclosure of sensitive documents to the wrong location.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documented workflow operationalizes direct printing with no mandatory preview or approval gate, making accidental or misrouted jobs more likely in a multi-device, hostname-mapped printer setup. In this context, mistakes can lead not only to paper/ink waste but also to confidentiality issues if documents are printed on a shared or unintended printer.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README advertises very broad natural-language invocation such as printing, merging, editing, rotating, watermarking, and photo manipulation without defining clear trigger boundaries, confirmation requirements, or excluded contexts. In chat-based environments like Claude Code and OpenClaw, this increases the chance of unintended execution from ambiguous user messages, quoted text, forwarded content, or mixed conversational context, leading to accidental printing or file modification.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The usage section highlights operations that modify user files and images, including replacing text in Office documents, editing spreadsheets and slides, removing image backgrounds, applying presets, and compressing or transforming PDFs, but it does not clearly warn users that these actions can alter data before printing. Without explicit warnings and confirmation, users may assume the tool is print-only and unintentionally authorize destructive or irreversible edits, especially in an agent workflow that acts on plain-language requests.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger language is broad enough to match ordinary user requests about PDFs, Office files, photos, previews, editing, and printing. Overbroad triggering increases the chance that the skill is invoked in contexts where users did not intend to grant a print-and-modify workflow, especially given its hidden non-printing capabilities.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The slide deletion function performs an irreversible destructive action based solely on an index, with no confirmation, soft-delete, or preview step. In an LLM-driven workflow, a misunderstood instruction, malicious prompt injection, or off-by-one error could silently destroy presentation content and propagate data loss to the saved output.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The decryption routine saves an unencrypted output file with no built-in warning, confirmation step, or compensating safeguard. That makes accidental creation of insecure copies more likely, especially in an automation setting where users may assume the action is a temporary unlock for printing rather than persistent removal of protection.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal