ClawHub

Xiaohongshu Card Creator

Security checks across malware telemetry and agentic risk

Overview

This card generator mainly matches its purpose, but its optional AI mode can send your Markdown to external model services without clear disclosure in the main instructions.

Review the scripts before installing. The default local card generation appears limited, but do not use --llm with private drafts, business notes, or regulated data unless you trust the configured provider and endpoint. Be aware that generated HTML depends on a remote html2canvas CDN script for downloading PNGs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
A description-behavior mismatch is a real security and trust issue here because the skill claims local Markdown-to-card conversion, while the analysis indicates LLM/API-based processing and limited template substitution not disclosed to the user. Undisclosed external transmission of user content can expose sensitive text, and misleading capability claims prevent informed consent about privacy, costs, and output reliability.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The HTML imports html2canvas from a third-party CDN, which introduces unnecessary network access and a supply-chain trust dependency for a skill described as local HTML/PNG generation. If the CDN resource is modified, blocked, or replaced, users could execute untrusted JavaScript when opening the generated file.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The external script import gives the generated HTML implicit network capability that is not needed for simple card rendering/export and is not justified by the skill description. This expands the attack surface to include remote script delivery, tracking, dependency compromise, and failure modes in offline or restricted environments.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script broadly loads and exports every key/value pair from a local .env file before it knows whether those values are needed. In a card-generation skill, indiscriminate credential loading expands the process environment unnecessarily, increasing the chance that secrets are exposed to child processes, logs, crashes, or future code paths unrelated to the user's request.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script reads credentials from a local .env file and transmits user-provided document content to an external LLM service. In the context of a local content-conversion skill, this creates a real data exposure risk because users may reasonably expect offline/local processing unless network use is clearly disclosed.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The tool generates a full HTML document and loads html2canvas from a third-party CDN, which adds undeclared remote code execution within the browser at render time. This expands the skill's behavior beyond simple HTML card generation and introduces supply-chain and privacy risk if the CDN asset is compromised or blocked.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The helper transmits user-provided Markdown content to third-party LLM providers (OpenAI/Anthropic and compatible endpoints). This creates a real data exposure risk because the skill description suggests document/card conversion, but this code path performs external network disclosure of the full input without explicit consent, minimization, or provider trust boundaries.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The template loads and executes JavaScript from a third-party CDN, which creates a supply-chain and trust-boundary risk: if the CDN asset is tampered with, blocked, or swapped, arbitrary code runs in the page context. In a skill whose purpose is local card rendering and downloading, this broadens exposure beyond the minimum required functionality and may process user-provided content inside a page executing remote code.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Executing a full third-party script is more capability than is justified by a simple card-generator template, because it grants external code access to the DOM, rendered content, and any future page logic. This is especially relevant here because the skill likely handles user text and generates downloadable output, so compromise of that dependency could alter rendered cards, exfiltrate content, or perform unwanted actions in the browser.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
When --llm is used, the script forwards user-provided document content to an external model workflow after loading API credentials, but it gives no clear user-facing notice that local content may leave the machine. In a content-conversion skill, silent external transmission is risky because users may supply sensitive drafts, proprietary text, or personal data expecting local-only processing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends the input Markdown content directly to an external LLM API without any user-facing warning, consent step, or sensitivity check. If users supply private notes, drafts, or confidential business content, that data is disclosed to the configured external provider.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The OpenAI code path sends the entire Markdown content to an external API without any notice, consent flow, or sensitivity checks. If users provide private notes, business data, or regulated content, the skill may leak that information to a third party unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Anthropic code path has the same issue as the OpenAI path: full user content is sent to a third-party model service without warning or data-handling controls. This is a privacy and compliance risk, especially because the skill's purpose appears to be formatting content rather than necessarily outsourcing it.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal