ClawHub

MD to PDF

Security checks across malware telemetry and agentic risk

Overview

This PDF converter mostly does what it says, but it also gives the agent an under-scoped QQ Bot file-sending workflow and uses a broad browser-debugging path with live third-party script loading.

Review before installing. Use it only for Markdown you are comfortable rendering in a browser, prefer an isolated Chrome profile for the debugging port, use --no-mermaid for untrusted or sensitive documents unless Mermaid is vendored locally, and require explicit user approval before any generated PDF is copied to QQ Bot media or sent externally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill documentation describes file read/write and shell-style execution behavior, but the manifest does not declare corresponding permissions. This creates a transparency and policy gap: callers may invoke a skill with broader local-system effects than expected, including reading Markdown/CSS, writing PDFs, and launching local tooling such as Pandoc or browser automation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is Markdown-to-PDF conversion, but the behavior expands into higher-risk capabilities: connecting to an already-running Chrome DevTools endpoint on 127.0.0.1:9222, starting a local HTTP server, mutating input content, and fetching Mermaid code from an external CDN. CDP access is especially sensitive because an exposed browser debugging port can grant broad control over browser state, pages, cookies, and local browsing context beyond the conversion task.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The documentation includes a QQ Bot file-delivery workflow that is unrelated to local Markdown-to-PDF conversion, expanding the skill into message/file exfiltration territory. Even though presented as a usage note, embedding a copy-to-media-directory plus send-message path creates a ready-made channel for transferring generated or sensitive PDFs to an external messaging target.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill loads Mermaid JavaScript from a public CDN at render time inside the browser context, creating unexpected outbound network access during local document conversion. This expands the trust boundary to an external third party, leaks usage metadata, and could expose users to supply-chain compromise or nondeterministic rendering if the remote script changes or is unavailable.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal