ClawHub

Zerox

Security checks across malware telemetry and agentic risk

Overview

This document converter appears legitimate, but background mode has an unsafe macOS notification path that could execute unintended AppleScript from a crafted filename.

Review before installing. Use foreground mode where possible, avoid background mode on files with untrusted or unusual names until the osascript notification is fixed, and only convert documents you are allowed to send to the configured AI/APIYI provider. Use a scoped API key if available and be cautious with the manual node_modules endpoint patch.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script reads API credentials from ~/.openclaw/.env even though the skill is presented as a document-to-Markdown converter. Accessing secrets from the user's home directory expands the skill's privilege scope beyond simple file conversion and can surprise users, especially in agent contexts where such credential harvesting behavior is sensitive.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The implementation sends document data to a remote OpenAI-backed service despite the manifest describing the skill as document text extraction. This mismatch can cause users to provide sensitive files under the assumption of local processing, resulting in unintended third-party disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to place a live API key into a local env file but provides no warning about treating the credential as secret, avoiding commits, or limiting its scope. This increases the chance of credential leakage through shell history, dotfile syncing, backups, screenshots, or accidental repository inclusion, which could allow unauthorized use of the third-party API account.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README directs users to patch a dependency so document contents and API credentials are sent to a third-party proxy endpoint instead of the original supported provider, without discussing trust, privacy, retention, or compliance implications. Because this skill processes arbitrary documents, potentially including sensitive PDFs and scans, rerouting traffic to an intermediary materially increases the risk of data exposure, credential misuse, and unnoticed supply-chain style tampering.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly states that conversion uses GPT-4o vision, which implies document contents are transmitted to a remote model provider, but it does not clearly warn users that potentially sensitive file contents leave the local environment. In a document-conversion skill, users may reasonably expect local processing, so the missing disclosure creates a real privacy and data-handling risk, especially for confidential PDFs, scans, or office documents.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The zerox call transmits the input document to an external model provider without any explicit warning, consent step, or data-handling notice. For PDFs, DOCX files, and images, this may expose confidential business, personal, or regulated information to a third party unexpectedly.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal