ClawHub

Printer

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it lists CUPS printers and prints user-selected PDFs or images, with no evidence of hidden data transfer or persistence.

Install this only if you want an agent to submit local CUPS print jobs. Before each print, confirm the file, target printer, and any -o options, especially for confidential documents or shared/default printers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for opt in (extra_options or []):
        cmd.extend(['-o', opt])

    result = subprocess.run(cmd, capture_output=True, text=True)

    if result.returncode == 0:
        output = result.stdout.strip()
Confidence
94% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions while explicitly invoking local binaries and handling filesystem paths, which means its effective capabilities exceed what is documented to users or a permission model. In a printing skill, shell access and file reads are contextually expected, but the lack of declared permissions reduces transparency and can enable unintended access to local files or command execution surfaces if the implementation is flawed.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The skill states that it uses the system default printer unless one is specified, but it does not frame this as a potentially sensitive action requiring clear user awareness. That can lead to accidental printing of confidential documents to an unintended device, especially in shared or enterprise environments where the default printer may be remote or publicly accessible.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal