ClawHub
Back to skill

Security audit

DXF to Image

Security checks across malware telemetry and agentic risk

Overview

This DXF converter appears purpose-aligned, but it combines shell execution, user-controlled file paths, and no-confirmation handling in a way users should review before installing.

Install only if you are comfortable with a skill that runs a local Python conversion command on files you provide. Use it on trusted DXF files, avoid sensitive CAD drawings unless you control where outputs are saved or sent, and prefer a reviewed version that pins dependencies and clearly quotes or validates file paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill instructs the agent to execute conversion and transmit the resulting file without confirmation or safety checks, which can cause unintended disclosure of sensitive CAD content and unexpected file writes. In this context, the risk is elevated because DXF files may contain proprietary designs or infrastructure layouts, and the skill encourages immediate exfiltration via Telegram/OpenClaw media tooling.

Unpinned Dependencies

Low
Category
Supply Chain
Content
ezdxf
matplotlib
Pillow
Confidence
98% confidence
Finding
ezdxf

Unpinned Dependencies

Low
Category
Supply Chain
Content
ezdxf
matplotlib
Pillow
Confidence
98% confidence
Finding
matplotlib

Unpinned Dependencies

Low
Category
Supply Chain
Content
ezdxf
matplotlib
Pillow
Confidence
99% confidence
Finding
Pillow

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
97% confidence
Finding
Pillow

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal