ClawHub

Markdown → 图片卡片

Security checks across malware telemetry and agentic risk

Overview

This is a real Markdown-to-image skill, but it needs review because it can silently delete the chosen output folder and can make outbound network requests while rendering Markdown.

Install only if you are comfortable running a code-based renderer on trusted Markdown. Avoid using a custom --output path, make sure ~/Downloads/<card name>/ has nothing important before generation, and remove remote image links or restrict network access when processing sensitive files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill is documented as directly reading Markdown files, invoking a local Node tool, and static analysis indicates additional capabilities including environment access and network use despite no declared permissions. This creates a transparency and consent gap: users and policy layers cannot accurately understand or restrict what the skill can access, especially given behavior such as reading files and writing outputs automatically.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The described purpose is simple Markdown-to-image conversion, but the detected behavior expands to remote resource downloading, external metadata fetching, web font loading, Mermaid rendering, branding insertion, and destructive output-directory recreation. These hidden side effects materially change the security posture by introducing exfiltration, SSRF-like fetch behavior, untrusted content processing, third-party requests, and possible data loss in the output path.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The HTML template imports a remote Google Fonts stylesheet, which causes network access during rendering of ostensibly local Markdown content. This can leak usage metadata (IP, timing, document processing events), create hidden external dependencies, and break in offline or restricted environments; because the HTML is rendered by a browser engine, any remote resource fetch also broadens the attack surface beyond pure local conversion.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script derives a remote YouTube thumbnail URL from Markdown content and embeds it into rendered HTML, causing automatic outbound requests to third-party infrastructure. This exceeds a strict local Markdown-to-image transformation, leaks that the input referenced a specific video, and makes output generation dependent on untrusted remote content and network availability.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code scans all Markdown lines for YouTube URLs and uses them to enrich output with remote thumbnails, introducing undeclared network-dependent behavior. In the context of a conversion utility, this is risky because user-supplied Markdown can trigger external requests without clear consent, creating privacy leakage and an unnecessary trust boundary with remote content providers.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
When no output directory is provided, the script writes files into a hard-coded absolute path under a specific user's Documents tree. This can expose generated content in an unintended location, cause accidental overwrites or data mixing, and is especially unsafe when the skill runs in a shared agent environment where filesystem expectations differ from the developer's machine.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The script imports and uses components that enable outbound network access in a tool whose declared purpose is local Markdown-to-image conversion. Even though the YouTube fetch path is unused, Playwright renders HTML containing a remote Google Fonts @import, so processing untrusted Markdown causes the runtime to contact external infrastructure and leak usage metadata without explicit consent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code resolves an output directory and then unconditionally deletes it with `fs.rm(..., { recursive: true, force: true })` before generation. Because `outputDir` can be caller-controlled and defaults to a path derived from `HOME`, this can wipe arbitrary existing directories and their contents, which is far beyond what a Markdown-to-image skill should do.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Mermaid is initialized with `securityLevel: 'loose'`, which permits richer HTML behavior in diagrams rendered from untrusted Markdown-derived content. In a headless browser pipeline that turns attacker-controlled content into HTML, this increases the risk of script/HTML injection, unexpected network access, or browser-context abuse during rendering.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The parser fetches arbitrary remote image URLs found in Markdown, which gives a document-conversion skill outbound network capability and can be abused for SSRF-style access to internal services, unexpected data egress, or user/environment IP disclosure. In this skill context, converting Markdown to images does not inherently require unrestricted network access, so the capability is broader than the apparent scope and increases risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This code performs network retrieval during parsing without sufficient justification or safeguards for a Markdown-to-image skill. Because the URL comes from Markdown content, an attacker can embed links that trigger unexpected outbound requests, making the parser behave like a network client rather than a local formatter.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The template fetches a Google Fonts stylesheet from an external domain during rendering, which creates outbound network access and leaks metadata such as IP address, timing, and possibly document-generation context to a third party. In a Markdown-to-image skill, this is not necessary for core functionality and increases privacy, reliability, and supply-chain risk if the remote asset changes or becomes unavailable.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly states that remote images are automatically downloaded, but it does not warn users that rendering a Markdown file can trigger outbound network requests to third-party hosts. This can leak IP address, user agent, timing, and possibly access patterns when processing untrusted Markdown, creating privacy and SSRF-style risk if internal or sensitive URLs are referenced.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to read the full file and write generated images to Downloads automatically, while explicitly saying not to ask the user any parameters. This reduces informed consent for file access and filesystem writes, making unintended disclosure, processing of sensitive local content, or clutter/overwrite risks more likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The directory deletion happens silently, with no warning, consent, or indication that existing files may be removed. In the context of a content-conversion skill, users would not reasonably expect destructive filesystem behavior, making accidental data loss significantly more likely.

Known Vulnerable Dependency: mermaid==11.14.0 — 4 advisory(ies): CVE-2026-41150 (Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS); CVE-2026-41159 (Mermaid: Improper sanitization of configuration leads to CSS injection); CVE-2026-41149 (Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML inj) +1 more

Low
Category
Supply Chain
Confidence
94% confidence
Finding
mermaid==11.14.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal