ClawHub

page-doc-generator

Security checks across malware telemetry and agentic risk

Overview

This skill locally generates documentation from user-selected mini-program project files and screenshots, with no evidence of hidden data transfer, persistence, or destructive behavior.

Install only if you are comfortable letting it read the selected project pages and screenshots and write generated documentation files. Review the Markdown/DOCX before sharing, watch for private code, secrets, absolute paths, or sensitive screenshots, and avoid running it where same-named output files must be preserved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill clearly describes capabilities to read project files, write documentation outputs, and invoke a shell command via pandoc, yet it declares no permissions or safety boundaries. That mismatch is dangerous because users and policy systems cannot accurately understand or constrain what the skill can access and execute, increasing the chance of unintended file access, overwrites, or command execution in sensitive environments.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad enough to match generic requests like generating project documentation, which could cause the skill to activate outside its intended mini-program page-documentation context. This is risky because an over-broad trigger can lead to unintended access to local projects, screenshots, or file-writing behavior when the user did not specifically request this workflow.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states that it generates Markdown and DOCX files in the project directory but does not warn about file creation or possible overwriting of existing files with the same names. In a real project, this can lead to accidental data loss, repository pollution, or modification of user files without explicit consent, especially because outputs are derived automatically from the project name.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script writes a documentation file that embeds full Vue source code, absolute project paths, and screenshot references with no sanitization, minimization, or warning. In the context of an agent skill intended to package project documentation, this can unintentionally disclose proprietary source, secrets hardcoded in files, internal filesystem layout, or sensitive UI content if the generated document is shared outside the trusted environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal