ClawHub

Own Style Writer

Security checks across malware telemetry and agentic risk

Overview

This skill processes user-selected writing materials and has disclosed, opt-in third-party document upload behavior.

Install only if you are comfortable letting the skill read the style and content folders you provide. Use the default/local MarkItDown path for private documents, and enable MinerU upload only for files you are willing to send to that third-party service. Review the generated .own-style-writer output directory because it contains converted copies and manifests of your source materials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (22)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The library will fetch any user-provided http/https URI via requests.Session.get() with no allowlist, scope restriction, or explicit consent check in this code path. In the context of a writing/style-analysis skill that is supposed to process local user materials, this broad network-fetch capability can be abused for unintended outbound requests, including access to attacker-controlled content or internal network targets if upstream callers pass untrusted URLs.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The plugin loader imports and executes all installed entry points in the markitdown.plugin group, and plugin registration code is invoked with broad access to the converter instance. If plugins are enabled in deployment, this expands behavior beyond the skill's stated document-conversion scope and can execute unreviewed third-party code inside the skill environment.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This converter sends uploaded file contents to Azure Content Understanding for analysis, which is a real data-flow to a third-party service. In the context of a skill described as handling local documents with offline fallback, undisclosed remote processing materially changes the trust boundary and can expose sensitive user materials if invoked without clear consent and routing controls.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The file explicitly supports audio and video ingestion even though the skill's stated purpose is writing-style learning from document materials. Expanding accepted modalities beyond business need increases the attack surface and privacy exposure because users may unknowingly provide rich media containing unrelated sensitive content that is then processed externally.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This converter is wired to authenticate to Azure and use Azure Document Intelligence for document parsing, which means user-supplied files may be processed by a third-party cloud service rather than purely locally. In the context of a skill described as handling local style/content extraction with offline fallback, this creates a meaningful data exposure and transparency risk if users are not explicitly informed and do not consent.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code reads the entire input file and submits it to Azure Document Intelligence via begin_analyze_document, causing full document contents to leave the local environment. For a writing/style-analysis skill likely handling sensitive manuscripts, notes, or proprietary files, undisclosed whole-document upload is a significant confidentiality risk and exceeds a reasonable expectation of local-only processing.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The converter can transmit full image contents to an external multimodal LLM whenever an llm_client and llm_model are provided, by base64-encoding the file and embedding it in the API request. In this skill context, the broader feature set includes local document/style extraction, so silently sending user images off-box creates a real data exposure risk, especially for personal, proprietary, or regulated images.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This code transmits the full image contents to an external LLM service for captioning via `client.chat.completions.create(...)`. In the context of a writing-style skill that processes local user documents, this creates a real data-exfiltration risk because potentially sensitive image content can leave the local environment without any visible permission check, policy gate, or scope restriction in this component.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code calls `recognize_google(audio)`, which transmits audio content to an external Google speech recognition service. In the context of a writing-style skill focused on local document/style extraction, this is an unexpected network data flow that can expose sensitive user-provided audio without clear necessity or disclosure.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This converter includes functionality that uploads audio-derived content to an external service, but the described skill workflow emphasizes document conversion and writing-style analysis rather than third-party speech processing. That mismatch increases the risk of undisclosed data exfiltration and violates user expectations about how local materials are handled.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The converter performs network retrieval of YouTube transcripts during HTML conversion, which expands behavior from parsing provided local content to contacting an external service. In this skill’s context, which emphasizes local/offline document processing and clear separation of style/content materials, this creates an unexpected outbound data flow and non-local side effect that can surprise users and violate privacy or deployment assumptions.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Fetching remote transcripts is not necessary for the stated purpose of this skill, which is writing in a user’s style from user-provided/local materials. Because the feature reaches beyond the declared scope, it increases the risk of hidden data access, policy violations, and inconsistent behavior in restricted environments.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
When `--allow-upload` is enabled, the script may send local documents to MinerU's external service, but it does not present a clear runtime disclosure at the exact upload step describing that document contents leave the local environment. In a writing-style skill, inputs are likely to include private manuscripts, internal documents, or copyrighted material, so silent transmission increases the risk of unintended data exposure and user-consent failure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The single-file MinerU agent path uploads documents externally after only checking `args.allow_upload`, without a direct runtime warning at the moment of transmission. Because this skill is specifically designed to process user-supplied local writing materials, the affected files may contain sensitive personal, business, or unpublished content, making undisclosed external transfer materially risky.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This code path performs outbound HTTP/HTTPS requests automatically when given a URL, but there is no indication here of any user-facing warning, consent boundary, or audit notice. For a skill advertised around local document/style extraction, silent remote fetching increases privacy and security risk because user or model-provided inputs may trigger network access unexpectedly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The converter reads the full file into memory and submits it to Azure via begin_analyze_binary without any user-facing warning in this component. For a style-writing skill that may process private local files, silent transmission to an external cloud service creates a meaningful confidentiality risk and undermines informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code path transmits document bytes to Azure without any disclosure, prompt, or consent mechanism in the implementation itself. In a skill that processes user documents for writing assistance, silent remote transmission increases privacy and compliance risk, especially for confidential business, personal, or copyrighted material.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This code constructs a data URI containing the entire base64-encoded image and sends it to an external chat completions API without any visible consent, warning, or policy enforcement in the converter. In a writing/style-analysis skill, users may reasonably expect local conversion of uploaded materials, so undisclosed transfer of raw image content increases privacy, confidentiality, and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function sends base64-encoded image data to an external model endpoint but contains no visible user notice, consent flow, or audit signal. That is dangerous because users may reasonably expect local document conversion for uploaded files, while embedded screenshots, IDs, diagrams, or other sensitive images are silently disclosed to a remote provider.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code conditionally sends embedded slide images to an external LLM captioning service whenever `llm_client` and `llm_model` are supplied, but there is no consent check, policy gate, redaction step, or user-visible warning at the point of transfer. PPTX files commonly contain sensitive screenshots, internal diagrams, customer data, or regulated content, so silent transmission to a third-party model provider can create a confidentiality and compliance exposure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
`recognize_google` sends the captured audio to Google's service, yet this code provides no warning, consent flow, or disclosure to the user. If users provide sensitive voice notes or embedded audio, their content may be transferred off-device unexpectedly, creating privacy and compliance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code sends the YouTube video ID to the transcript API/library without any explicit warning or consent mechanism in this file. Even if the identifier is not highly sensitive by itself, this is still an external disclosure of user-referenced content and can leak usage patterns or violate expectations for local document conversion.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal