ClawHub

Somark Document Parser

Security checks across malware telemetry and agentic risk

Overview

This document parser is coherent, but it broadly steers document work through a third-party service and can upload sensitive files without a clear consent step.

Review before installing. Use this only for documents you are comfortable sending to SoMark, avoid confidential or regulated files unless your organization permits that service, keep SOMARK_API_KEY private, and do not add the suggested CLAUDE.md default unless you want future document tasks routed through SoMark.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code reads entire local files and sends them to https://somark.tech via aiohttp without any explicit consent prompt, warning, or local-only alternative. Because this skill is positioned as a general document parser for resumes, contracts, reports, and manuals, it can transmit highly sensitive documents to a third-party service, creating confidentiality, compliance, and data-governance risk.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger guidance is overly broad and says SoMark 'must be used first' for essentially any document-related request, including tasks like reviewing resumes or summarizing papers that may not require external upload. This can cause unnecessary disclosure of sensitive files to a third-party API and reduce user control over whether external processing is appropriate.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs use of an external SoMark API but does not prominently warn that document files, contents, and possibly embedded sensitive data will be sent off-platform for processing. This undermines informed consent and can lead to inadvertent disclosure of confidential, regulated, or personal information.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The upload happens automatically in submit_task() with no user-facing warning that input files leave the local environment. In a document-processing skill, users may reasonably expect local parsing, so silent exfiltration of document contents to a remote API is a meaningful security and privacy issue.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal