ClawHub

Mermaid Image Export

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent diagram-export purpose, but one batch helper can run arbitrary shell commands through an under-scoped command option.

Install only if you trust the skill and will use it in a controlled workspace. Avoid passing untrusted values to --mermaid-cmd, prefer direct mmdc usage, and do not follow no-sandbox or SELinux-disabling troubleshooting steps on a sensitive host unless you are in an isolated test or CI environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"Command: {' '.join(cmd)}")
    
    try:
        result = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
92% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 # 60 second timeout )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_command(cmd):
    """Run a command and return (success, output)."""
    try:
        result = subprocess.run(
            cmd, shell=True, capture_output=True, text=True, timeout=10
        )
        return result.returncode == 0, result.stdout.strip()
Confidence
93% confidence
Finding
result = subprocess.run( cmd, shell=True, capture_output=True, text=True, timeout=10 )

Tp4

High
Category
MCP Tool Poisoning
Confidence
78% confidence
Finding
The skill is presented as an image export helper, but its documented behavior also includes environment inspection and package installation via npm, including global install commands. That broader behavior increases the attack surface because installation steps execute external package-manager actions and modify the host environment, which may be unexpected for users invoking a seemingly simple export skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script accepts a user-controlled --mermaid-cmd value, concatenates it into a shell command string, and executes it with eval. That means an attacker can supply arbitrary shell syntax instead of a Mermaid CLI binary, leading to command execution far beyond the stated purpose of exporting diagrams.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The help text presents --mermaid-cmd as a way to choose the Mermaid CLI, but the implementation later treats the value as arbitrary shell input and executes it. This mismatch is dangerous because users may reasonably trust the option as limited-scope while it actually enables full command injection.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The troubleshooting guide recommends disabling Chromium/Puppeteer sandbox protections using --no-sandbox and --disable-setuid-sandbox, but it does not clearly warn that this materially reduces browser isolation and can increase the impact of malicious content or renderer compromise. Because this skill renders user-supplied Mermaid content through a headless browser, normalizing unsandboxed execution makes the guidance security-relevant rather than merely operational.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The SELinux section suggests sudo setenforce 0 as a troubleshooting step with only a brief note that it is not recommended for production, which understates the security consequence of disabling mandatory access controls. This can lead users to weaken host protections system-wide while diagnosing a diagram export problem.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Using eval on a command assembled from user-influenced values creates shell injection risk even if the feature was intended for convenience. In an agent skill context, this is more dangerous because automated workflows may pass through untrusted parameters or file names, turning a diagram export utility into a general command execution primitive.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The --mermaid-cmd option permits a user to supply the executable and arguments that will later be run by subprocess.run. Even without shell metacharacter injection, this is still arbitrary local program execution under the privileges of the script, which is especially risky for an agent skill that may process untrusted task inputs. The lack of strong warning, validation, or restriction makes accidental or malicious abuse more plausible.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal