ClawHub

Clipper

Security checks across malware telemetry and agentic risk

Overview

This Obsidian web clipper is mostly coherent, but every save automatically runs Git pull, commit, and push, which can publish clipped notes or affect the vault without a separate confirmation.

Review before installing, especially if your Obsidian vault is a Git repository. Use it only if you want every saved clip to be automatically pulled, committed, and pushed; verify the detected vault path and Git remote first. Avoid clipping private or sensitive URLs unless you are comfortable with Jina Reader, x-reader, the WeChat image proxy, and your Git remote receiving the resulting content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions even though its documented behavior clearly includes shell execution, network access, and writing files into an Obsidian vault. This is dangerous because users and policy systems cannot accurately assess or constrain what the skill can do, which reduces informed consent and weakens sandboxing or approval controls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
83% confidence
Finding
The skill description understates material behavior by omitting automatic git pull/add/commit/push operations and overstates platform-specific handling that is not actually implemented. That mismatch is security-relevant because users may invoke a simple 'save this page' skill without realizing it can modify a repository and send data to a remote, creating unexpected data exposure and integrity risks.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script performs a git synchronization after saving a clip, which expands its behavior from simple local note creation into repository-changing operations. In an agent context, automatic git add/commit/push can modify history or exfiltrate newly saved content to a remote without an explicit, per-action user confirmation, making this an unjustified side effect for the stated purpose.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This utility performs `git pull`, `add`, `commit`, and `push`, which expands the skill from local clipping into remote repository modification and network synchronization. In the context of a clipping skill, that is more dangerous because saving fetched web content could unintentionally publish sensitive notes, tokens, or private clipped material to a remote origin without clear user awareness.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
After saving fetched content, the skill automatically performs git synchronization on the user's vault. This extends the effect of a local save into potential persistence and exfiltration to a remote repository, which is more dangerous because it occurs without any confirmation in this file.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The function rewrites WeChat-hosted image URLs to a third-party proxy service, which changes the destination of embedded resources and can leak reader metadata or article-linked resources to an external provider without consent. In a clipping tool, silent exfiltration of browsing-derived content references to a third party is a real security and privacy issue, even if the implementation appears intended for compatibility.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Automatic git sync performs pull, commit, and push after saving content, which can transmit clipped data and local vault changes to a remote repository without an explicit warning or opt-in. In the context of an Obsidian vault, this is more dangerous because vaults often contain personal notes, credentials, drafts, or other sensitive material, and a pull --rebase can also alter local repository state unexpectedly.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The fetch logic sends the user-supplied Twitter/X URL to the third-party service r.jina.ai instead of retrieving content directly from Twitter/X. This leaks the target URL and associated access metadata to an external service without clear warning, which is a privacy and data-handling risk, especially if users expect the clipper to only contact the original platform.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Automatic git synchronization can trigger repository-changing actions immediately after clipping, without any user-facing warning at the point of execution. In environments where the vault is connected to remotes or shared history, this can unintentionally publish sensitive notes or alter repository state beyond the user's expectation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Automatic pull/commit/push without any user-facing warning or confirmation can cause unauthorized or surprising modification and publication of vault contents. In a clipping skill, this is particularly sensitive because users may expect local note creation, not silent synchronization to a remote git repository.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code fetches arbitrary remote content and writes it directly into the user's Obsidian vault without any warning, review step, or trust boundary notice. In the context of a note-taking vault, this can import malicious markdown, tracking links, oversized content, or sensitive material that the user did not intend to persist.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Automatically triggering git synchronization after saving causes side effects beyond local file creation and can modify repository state without explicit user awareness. In an agent skill context, this is more dangerous because clipping untrusted web content could silently result in commits, pushes, or other source-control actions, creating unwanted persistence and possible data leakage depending on how git_sync is implemented.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Rewriting image URLs to a third-party proxy without disclosure changes the trust boundary and can expose article-related resource requests to an external service. Because this is a web-clipping skill handling potentially sensitive reading material, the context makes the privacy impact more significant than in a generic content transformation tool.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal