ClawHub

word-latex-formula

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill appears to perform the promised Word formula conversion, but its web API can expose saved AI credentials and send manuscript snippets to user-configurable external AI endpoints.

Review before installing. Use the local rule-based workflow for confidential manuscripts, or use a trusted/self-hosted AI endpoint. Avoid saving valuable API keys in the Web UI unless the machine and browser session are trusted, stop the local web server after use, and remove the project .env and storage files when finished.

Publisher note

Word Formula Converter turns manually typed math in Word documents into editable Word equations while preserving layout through local Word/LibreOffice conversion and OOXML edits. By default it works entirely on the user's machine. Optional AI review can improve formula detection and LaTeX normalization; when enabled, only extracted formula candidates and minimal surrounding context are sent to the user-configured model endpoint. Full documents, generated outputs, and API keys are not bundled or uploaded by the default workflow.

SkillSpector (16)

By NVIDIA

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs the agent to use shell execution, read and write local files, access environment variables, and optionally make network requests, but it does not declare permissions. That mismatch weakens user awareness and policy enforcement, especially because the workflow handles sensitive local documents and may read API keys from environment variables.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The optional AI decision path sends document-derived formula text, surrounding context, confidence metadata, and identifiers to a caller-supplied remote API endpoint via /chat/completions. Even though this appears feature-driven rather than malicious, it creates a real data exfiltration risk because manuscript content may contain unpublished research, sensitive formulas, or proprietary text, and the code imposes no domain allowlist, redaction, or explicit consent gate at the transmission point.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The CLI exposes an optional AI mode that sends document-derived candidate text to a remote API endpoint. In a tool whose primary value proposition is local document conversion, this creates a real data-exfiltration/privacy risk because users may process sensitive manuscript content without realizing portions can leave the host.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The AI review path sends extracted formula text and surrounding document context to a configurable external chat-completions endpoint. That creates a real data exfiltration boundary: sensitive manuscript content may leave the local system, and because the base URL is user-configurable, data could also be sent to arbitrary third-party or attacker-controlled services.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The API exposes endpoints that read current AI configuration and write new values into server-side environment-backed configuration, including the API key. This allows any caller with API access to retrieve or replace credentials, which can lead to credential theft, unauthorized billing, and redirection of future document data to attacker-controlled endpoints.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill enables implicit invocation while providing only a broad default prompt, so an agent may auto-select it for loosely related requests involving Word documents or formulas without explicit user consent. Because this skill can modify local documents through Word/LibreOffice conversion and OOXML edits, over-broad activation increases the risk of unintended document processing, privacy exposure, or surprising file changes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The UI starts AI review by sending document-derived candidate text and configuration to an external model endpoint, but the user is not clearly warned at the point of action that document content may leave the local environment. In a document-processing tool for academic manuscripts, formulas and surrounding context can contain unpublished or sensitive material, so silent transmission creates a real confidentiality risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The request body includes raw candidate text and context extracted from Word documents and posts it to an arbitrary base_url with bearer-token authentication, but the code itself does not enforce any user-facing warning, approval prompt, or privacy guardrail before transmission. In this skill's context—academic manuscript processing—that is meaningfully risky because nearby context can leak confidential draft content, references, and research details to third-party services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When --provider ai is selected, the code sends scan-derived candidate content to an external service but this path does not present a clear user-facing warning at execution time. That makes accidental disclosure of document text more likely, especially in environments handling unpublished or confidential material.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The AI review request includes candidate text and context from uploaded documents in outbound requests, but this file shows no enforcement of an explicit consent or warning step before transmission. In a document-processing skill, that increases privacy and confidentiality risk because users may assume processing is local while excerpts are actually shared externally.

Ssd 3

Medium
Confidence
97% confidence
Finding
The AI progress logger prints candidate source text extracted from the user's document. If stdout/stderr are captured by shells, CI systems, terminals with scrollback, or shared logs, sensitive manuscript content can be disclosed beyond the intended processing path.

External Transmission

Medium
Category
Data Exfiltration
Content
if not candidates:
        raise HTTPException(400, "No candidates to review")
    api_key = options.api_key or env_first("OPENAI_API_KEY", "API_KEY")
    base_url = options.base_url or env_first("OPENAI_BASE_URL", "BASE_URL", default="https://api.openai.com/v1")
    model = options.model or env_first("OPENAI_MODEL", "MODEL", default="gpt-4.1-mini")
    if not api_key:
        raise HTTPException(400, "Missing API key")
Confidence
90% confidence
Finding
https://api.openai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
if not candidates:
        raise HTTPException(400, "No candidates to review")
    api_key = options.api_key or env_first("OPENAI_API_KEY", "API_KEY")
    base_url = options.base_url or env_first("OPENAI_BASE_URL", "BASE_URL", default="https://api.openai.com/v1")
    model = options.model or env_first("OPENAI_MODEL", "MODEL", default="gpt-4.1-mini")
    if not api_key:
        raise HTTPException(400, "Missing API key")
Confidence
90% confidence
Finding
https://api.openai.com/

Env Variable Harvesting

High
Category
Data Exfiltration
Content
def read_ai_config() -> dict:
    _load_dotenv(overwrite=True)
    return {
        "api_key": os.environ.get("OPENAI_API_KEY") or os.environ.get("API_KEY") or "",
        "base_url": os.environ.get("OPENAI_BASE_URL") or os.environ.get("BASE_URL") or "https://api.openai.com/v1",
        "model": os.environ.get("OPENAI_MODEL") or os.environ.get("MODEL") or "gpt-4.1-mini",
        "batch_size": _env_int("AI_BATCH_SIZE", 10),
Confidence
99% confidence
Finding
os.environ.get("OPENAI_API_KEY

Env Variable Harvesting

High
Category
Data Exfiltration
Content
def read_ai_config() -> dict:
    _load_dotenv(overwrite=True)
    return {
        "api_key": os.environ.get("OPENAI_API_KEY") or os.environ.get("API_KEY") or "",
        "base_url": os.environ.get("OPENAI_BASE_URL") or os.environ.get("BASE_URL") or "https://api.openai.com/v1",
        "model": os.environ.get("OPENAI_MODEL") or os.environ.get("MODEL") or "gpt-4.1-mini",
        "batch_size": _env_int("AI_BATCH_SIZE", 10),
Confidence
99% confidence
Finding
os.environ.get("API_KEY

Credential Access

High
Category
Privilege Escalation
Content
def write_ai_config(config: AiConfig) -> None:
    env_path = ROOT / ".env"
    existing: dict[str, str] = {}
    if env_path.exists():
        for raw_line in env_path.read_text(encoding="utf-8").splitlines():
Confidence
95% confidence
Finding
.env"

Static analysis

Exposed secret literal

Critical
Finding
File appears to expose a hardcoded API secret or token.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal