ClawHub

Zeplin to Prompt

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Zeplin export tool, but it stores Zeplin tokens and exported design data locally, so users should install it only if they are comfortable with that workflow.

Use a least-privileged Zeplin personal access token, revoke or rotate it when finished, and delete ~/.zeplin-skill-config.json if you do not want the token saved. Treat exported zips, raw.json, assets, and layers_tree.html as proprietary design data. Prefer installing from the lockfile in a trusted workspace, and be cautious opening generated HTML from designs you do not trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill goes beyond its declared export purpose by generating and writing an HTML document and preview, then preparing it for local viewing. Rendering HTML from remotely sourced Zeplin content increases the attack surface because any unsafe content handling in the HTML generation path could lead to local active content execution or data exposure when opened in the browser. In this context, the mismatch between stated purpose and behavior makes the finding more concerning, because users expect a passive export artifact, not executable preview content.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code invokes a local OS command via execSync to open Finder/browser windows, which is unnecessary for a data export utility and creates side effects on the analyst's machine. Even though the path is partially quoted, using shell execution for opening local resources is risky and expands the impact of any unsafe file generation by immediately launching it, potentially triggering browser-based execution of malicious content. The skill context makes this more dangerous because the expected behavior is offline export packaging, not automatic interaction with local applications.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The generated HTML document injects `meta.preview` directly into the page and also embeds an inline client script, which means any attacker-controlled HTML inside the preview can execute active content in the browser. Because this skill exports third-party Zeplin content into a local HTML artifact that users are likely to open and trust, a malicious screen payload could trigger stored/local XSS, manipulate the page, exfiltrate local data available to the page context, or abuse clipboard and UI interactions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill tells the operator to persist a user-supplied Zeplin access token in ~/.zeplin-skill-config.json for future reuse, but it does not clearly disclose that this is long-lived credential storage or obtain explicit consent for persistence. Storing bearer tokens on disk increases the risk of unintended reuse, local compromise, token leakage through backups or home-directory exposure, and use of a broader-scope token than necessary.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The script automatically launches the generated index via execSync using a shell command, which creates undisclosed side effects and can execute an OS command without explicit user consent. Although the path is quote-escaped and derived locally, auto-opening files is still a potentially unsafe behavior in agent contexts because it triggers local application execution unexpectedly.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
`meta.preview` is inserted verbatim into the returned HTML template without escaping or sanitization. If preview content can originate from Zeplin metadata, imported design annotations, or any upstream untrusted source, an attacker can inject arbitrary markup or script-bearing elements into the exported preview, turning the output into an XSS-capable document rather than a passive export.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code persists per-layer prompt/instruction text into localStorage under a predictable key, and these prompts may contain sensitive design context, implementation guidance, or proprietary user-entered content. localStorage is long-lived, readable by any script running on the same origin, and survives browser restarts, so storing this data without explicit disclosure, consent, retention limits, or stronger protection increases exposure to XSS, shared-device leakage, and unintended persistence.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal