ClawHub

PM Toolkit - Excalidraw - "Messy Thoughts" to "Visual Spec" in 30 seconds.

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward local diagram generator that writes an Excalidraw file and does not show network access, credential use, persistence, or hidden behavior.

Install only if you are comfortable with a bundled Python script creating a temporary JSON file and saving an Excalidraw file locally. Use a user-controlled output folder and review the generated diagram before sharing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to create, write, and delete files and to place output in a user directory, but the skill metadata does not declare permissions for those filesystem actions. This creates a transparency and policy-enforcement gap: an agent may modify local files without clear consent or appropriate scoping, increasing the risk of unintended writes or deletions.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The workflow directs the agent to create a temporary JSON file, generate an output file in a user directory, and then delete the temporary file, all without explicitly warning the user that local filesystem changes will occur. While the actions are limited and appear related to the stated function of the skill, silent file creation/deletion can surprise users and may overwrite data or leave artifacts in unintended locations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal