ClawHub

xiaohongshu card generator

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local card generator, but it has under-disclosed paths that can execute MDX/HTML content or make unrestricted remote image requests.

Review before installing. Use this only with trusted Markdown/MDX files, avoid --mdx-mode for content from others, and be aware that raw HTML or image URLs in input can execute/render in Chromium or contact remote hosts. Installation will download npm packages and Playwright Chromium, and rendering writes PNG/report files to the chosen output directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The non-MDX path explicitly enables dangerous HTML with `allowDangerousHtml: true` and parses raw HTML via `rehypeRaw`, so attacker-controlled Markdown can inject arbitrary HTML into the rendered output. In a card-generation/rendering skill, this exceeds expected plain Markdown handling and can lead to XSS or unsafe content injection if the HTML is later displayed in a browser, webview, or downstream renderer.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The MDX path uses `evaluate(markdown, ...)`, which compiles and executes embedded JSX/MDX expressions from the provided content rather than treating it as inert text. That gives untrusted input code-like execution semantics during rendering, far beyond a normal Markdown-to-card feature, and can enable arbitrary JavaScript execution, data exposure, SSR-side effects, or malicious markup generation depending on runtime context.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Evaluating user-supplied MDX is unjustified for a skill whose stated purpose is rendering Markdown/text into Xiaohongshu-style cards. Because MDX supports executable expressions and component logic, this introduces a powerful and unnecessary attack surface that an attacker can abuse to run logic during server-side rendering or generate dangerous output for clients.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The code performs server-side fetching of arbitrary remote image URLs and converts the responses into data URLs. This creates an SSRF-style network primitive that can reach attacker-controlled destinations and potentially internal services, which goes beyond simple local card rendering and is risky if input HTML is user-controlled.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
When processRemoteImages is enabled, any http/https image source found in the input HTML is fetched without host restrictions. Because the HTML content may be attacker-influenced, this enables arbitrary outbound requests and can be abused for SSRF, internal network probing, and unexpected data transfer during a rendering workflow.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases include broad terms such as '制作卡片' and references to rendering Markdown/text, which can match many ordinary user requests outside the intended XHS-card scope. Over-broad activation can cause the wrong skill to engage, leading to unintended file handling, command execution suggestions, or user confusion in contexts where a simpler or safer tool should be used.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The fetch path transmits requests to third-party servers based on image URLs embedded in content, but this code shows no user-facing disclosure or consent mechanism. That can leak the server/client IP, timing, and request metadata during rendering in a way users may not expect.

Unvalidated Output Injection

High
Category
Output Handling
Content
<head>
        <meta charSet="utf-8" />
        <meta name="viewport" content="width=device-width, initial-scale=1" />
        <style dangerouslySetInnerHTML={{ __html: styleText }} />
      </head>
      <body>
        <div id="app" dangerouslySetInnerHTML={{ __html: bodyHtml }} />
Confidence
97% confidence
Finding
dangerouslySetInnerHTML={

Unvalidated Output Injection

High
Category
Output Handling
Content
<style dangerouslySetInnerHTML={{ __html: styleText }} />
      </head>
      <body>
        <div id="app" dangerouslySetInnerHTML={{ __html: bodyHtml }} />
      </body>
    </html>
  );
Confidence
99% confidence
Finding
dangerouslySetInnerHTML={

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal