ClawHub

Plantuml-skill

Security checks across malware telemetry and agentic risk

Overview

This PlantUML skill does what it says, but it sends diagram contents to a public PlantUML server by default without an explicit consent step.

Install only if you are comfortable sending diagram source to the public PlantUML server by default. Avoid using it with confidential architecture, internal endpoints, credentials, proprietary workflows, or customer data unless you modify the workflow to use local rendering and pin or control the Docker/JAR backend.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill appears capable of invoking shell-level functionality without declaring corresponding permissions, which breaks the expected trust and review model for agent skills. Undeclared execution capability is dangerous because it can enable command execution, file access, or network-mediated actions that users and platform controls may not anticipate.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The declared purpose says the skill converts natural language into UML diagrams, but the observed behavior includes uploading PlantUML source to an external public server and accepting direct .puml input instead. This mismatch is risky because users may provide sensitive architecture or system design data under the assumption of local-only diagram generation, leading to unintended data exfiltration and weakened informed consent.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script posts the full PlantUML source to the public PlantUML server by default, which can exfiltrate sensitive user prompts, embedded secrets, internal architecture details, or proprietary system design data to an external third party. In the context of an agent skill that turns natural language into diagrams, users may reasonably expect local rendering, so making remote transmission the preferred path materially increases privacy and data-handling risk.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script posts the full PlantUML source to the public PlantUML server by default, which creates an external data exfiltration path not obvious from a simple 'draw/render UML diagram' skill description. Diagram source often contains architecture details, internal identifiers, credentials-by-mistake, or proprietary workflows, so sending it to a third party can expose sensitive information.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Using Docker as a fallback introduces a local code/execution capability beyond simple text-to-diagram rendering, including pulling and running a container image from an external registry. In an agent skill context, this expands the attack surface and can violate least-privilege expectations, especially when users do not expect container execution as part of rendering.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script comments state that the public PlantUML server is the preferred default backend, but there is no explicit runtime privacy warning or consent mechanism before uploading user-supplied diagram content. In practice this can cause unintentional disclosure of sensitive model data because users may reasonably assume rendering is local.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly prefers sending diagram source to the public PlantUML server for rendering, but it does not require warning the user that their prompt-derived content may be transmitted to a third party over the internet. If users include proprietary architecture, credentials, internal endpoints, or sensitive workflow details in diagrams, this can cause unintended external disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal