ClawHub

PDF Reader

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a disclosed PDF text/OCR extractor, with the main caution that an optional flag can install OCR/PDF tools on the host.

Use this skill for PDFs you intend to process. Prefer preinstalling poppler/tesseract yourself and avoid --auto-install on production or locked-down hosts unless you approve package-manager changes. Save extracted text only to a new temporary or workspace path because the output option can replace an existing file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Documenting package installation through apt-get, yum, or brew broadens the skill from file processing into system administration. In an agent setting, this can lead to unintended privileged operations, dependency drift, or execution of package-manager commands on sensitive hosts merely to satisfy a document-reading request.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Automatically installing Tesseract language packs based on --lang creates additional package-management behavior triggered by user-controlled parameters. While the language values may be allowlisted, this still permits a document-processing request to cause host changes and network/package repository interactions outside the stated purpose.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script’s stated purpose is PDF text extraction, but it also includes a hidden system-management capability via `--auto-install` that can invoke package managers and modify the host. Even though this behavior is optional, adding installation logic to a reader skill expands its privilege surface and can cause unexpected package installation, network access, and system state changes in environments where skills are expected to be non-mutating.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
A PDF reader skill should not need to call `apt-get`, `yum`, or `brew`; that is an unjustified capability escalation beyond document parsing. In an agent context, this enables the skill to alter the operating system, pull software from external repositories, and consume elevated privileges if available, which creates unnecessary supply-chain and host-integrity risk.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The documentation encourages saving extracted text to a user-specified path and later reading it, but does not warn about overwrite risk, sensitive path selection, or the persistence of extracted potentially confidential document contents on disk. In an automated agent workflow, this can cause accidental clobbering of files or leakage of sensitive text into insecure locations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The auto-install option is documented without a strong caution that it may invoke privileged package-manager commands and alter the host environment. In the context of an agent skill, this omission increases the chance that operators or automation treat the command as routine document extraction when it can instead perform system-level changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When `--auto-install` is used, the script performs immediate system-modifying operations without an interactive confirmation or equivalent policy check. In unattended or agent-driven execution, this can lead to unexpected package installs and outbound repository access, making the environment mutable in response to a document-processing request.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal