ClawHub

html-to-pdf

Security checks across malware telemetry and agentic risk

Overview

This appears to be a useful HTML-to-PDF skill, but it should be reviewed because it may render untrusted HTML in Chromium with sandboxing disabled and can make outbound font/resource requests during conversion.

Install only if you are comfortable with HTML rendering that may contact external domains and if you can run it in a low-privilege, isolated environment. Avoid using it on sensitive documents unless network access is blocked and Chromium sandboxing or equivalent container isolation is enabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script injects a Google Fonts stylesheet into every processed HTML file, causing network access during what is presented as a local HTML-to-PDF conversion. This can leak metadata about document processing, break offline expectations, and allow untrusted HTML rendering to trigger external requests in a context users may assume is fully local.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The code explicitly expects and permits external resource fetching for fonts/CDN assets when rendering the PDF. When converting attacker-controlled HTML, external requests can be used for tracking, environmental probing, or unexpected data egress via referenced resources, which exceeds the narrow purpose of local document conversion.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script launches Chromium with --no-sandbox and --disable-setuid-sandbox while processing user-supplied HTML and JavaScript. If malicious content exploits a browser engine vulnerability, disabling the sandbox removes an important containment boundary and can turn renderer compromise into host-level impact.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger guidance is broad enough that an agent may invoke this skill for generic requests like 'make a PDF of this' without first confirming that the source is actually HTML. That can cause inappropriate tool selection, unintended file handling, or conversion of content outside the skill's stated scope, which is a genuine security/reliability issue in agentic systems.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The injected stylesheet silently fetches fonts from Google during PDF generation without clear disclosure in the tool interface or usage contract. This is risky because users may process sensitive local documents under the assumption that conversion is offline, while the renderer makes outbound requests that reveal usage and may interact with third-party infrastructure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal