ClawHub

Sube Test

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it converts a chosen local document to Markdown by uploading it to the disclosed PDRouter/PDFlux service.

Install only if you are comfortable sending selected documents to PDFlux/PDRouter for parsing. Use a dedicated API key when possible, verify the file path before running it, and treat Markdown extracted from untrusted documents as untrusted content in later agent workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares environment-variable and network use in metadata/openclaw requirements and throughout the behavior description, but there is no explicit permissions declaration to make those capabilities visible to policy and review layers. This can weaken least-privilege enforcement and make it easier for a skill to access secrets and transmit user files to an external service without sufficiently explicit consent boundaries.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The default prompt says to 'Always execute' the bundled conversion script for a wide range of local file types, which creates an overly broad activation condition for many generic document-handling requests. This can cause unnecessary processing of local user files and unintended data exposure to the skill or its backing service, especially because the skill description is broadly applicable to PDFs, Office documents, and images.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal