ClawHub

PDF 转 GetNotes

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its PDF-to-GetNotes purpose, but it ships a live-looking GetNotes credential and under-discloses remote handling of PDF contents.

Do not install this version until the publisher removes and rotates the exposed GetNotes credential. A corrected version should only be used for PDFs you are comfortable uploading to GetNotes/OSS and possibly MiniMax; verify the configured GetNotes account and topic_id before running, and delete leftover /tmp PDF image artifacts after processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documents capabilities to write files under /tmp, make outbound network requests, and invoke shell commands, but does not declare corresponding permissions. This creates a transparency and governance gap: users and the host agent may authorize a seemingly simple PDF-to-note workflow without understanding that it performs broader local and remote operations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior exceeds the stated purpose by reading local credentials, uploading page images to remote object storage, and optionally mutating a knowledge base. Description-behavior mismatch is dangerous because it undermines informed consent and can cause sensitive document data to leave the system or modify user data stores in ways the user did not clearly request.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill reads GetNotes credentials from ~/.openclaw/openclaw.json, which is outside the user-provided PDF input and expands the trust boundary to unrelated local secrets. Even if intended for normal authentication, undocumented secret access increases the blast radius of the skill and can be abused if the skill is triggered unexpectedly or modified later.

Context-Inappropriate Capability

High
Confidence
82% confidence
Finding
The skill launches an external shell utility via subprocess to upload files, introducing an unnecessary execution surface beyond normal HTTP client usage. While the current command is passed as a list rather than a shell string, invoking external binaries still increases risk from argument mishandling, binary-path hijacking, weak error handling, and reduced auditability.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The workflow includes optional addition of the created note into a knowledge base, which is a state-changing action beyond the core task of storing a PDF as a note. Extra mutation is risky because it can unintentionally alter user organization structures or expose content more broadly inside the note platform.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The SOP adds an optional Step 6 that batches the created note into a knowledge base, which exceeds the declared user-facing purpose of merely storing a PDF as a single GetNotes note. This expands data propagation and persistence scope without clear user request or consent, increasing the chance of oversharing sensitive document contents beyond the original action.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The document contains live-looking static API credentials and instructs direct use of them, which is highly sensitive and unnecessary to embed in a SOP file. Exposed credentials can be stolen, reused for unauthorized API access, data exfiltration, note creation, or broader compromise of the connected account and storage workflows.

Vague Triggers

Medium
Confidence
78% confidence
Finding
Broad trigger phrases raise the chance that the skill runs on ordinary conversational language without the user realizing the full workflow includes OCR, summarization, image uploads, and note creation. In this context, overbroad triggering is more dangerous because the skill handles potentially sensitive PDFs and performs remote transmission.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes extracting text, generating AI summaries, and uploading page images to external services, but does not warn users that document contents will be transmitted and stored remotely. Missing disclosure is significant here because PDFs often contain sensitive business or personal data, and both text and images are sent outside the local environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow uploads every PDF page image to an external OSS endpoint and sends extracted document text to an AI model, but the SOP provides no user-facing disclosure, consent, or data-handling warning. For a PDF-ingestion skill, this is especially risky because PDFs often contain confidential business, personal, or regulated information that users may assume stays local or only within GetNotes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Publishing credential locations and direct API key usage in the SOP normalizes unrestricted secret access without any warning about sensitivity or access controls. This increases the likelihood of accidental leakage, misuse by downstream consumers of the document, and unsafe handling of privileged credentials in operational environments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes rendered PDF pages under /tmp/pdf_pages/<pdf_name> and stores derived page URLs in /tmp/<pdf_name>_urls.json without any cleanup, permission hardening, or user notice. Because PDFs often contain sensitive content, leaving artifacts in shared temporary storage can expose document contents and metadata to other local users, later processes, or backup/logging systems.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script uploads every PDF page image to an external OSS service and then creates a remote note containing those images, but there is no explicit consent, warning, or content sensitivity check. In this skill context, users may pass private PDFs expecting note storage, yet the implementation transmits full document contents to third-party endpoints, creating substantial confidentiality and compliance risk.

External Transmission

Medium
Category
Data Exfiltration
Content
API_KEY = os.environ.get("MINIMAX_API_KEY")
resp = urllib.request.Post(
    "https://api.minimax.io/v1/text/chatcompletion_pro?GroupId=...",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={"model": "MiniMax-M2", "messages": [...]}
)
Confidence
90% confidence
Finding
https://api.minimax.io/

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal