ClawHub

Pandoc Convert

Security checks across malware telemetry and agentic risk

Overview

This is a real Pandoc document-conversion helper, but it includes poorly scoped examples that can fetch remote content or run local code.

Review before installing. Use it for trusted local document conversion, and avoid URL inputs, remote templates/styles, --filter, --lua-filter, pandoc -l, server mode, and TeX shell escape unless you explicitly intend network access or code execution and have verified the exact files and commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The documentation explicitly shows Pandoc reading directly from remote URLs, which expands a local document-conversion skill into a network-capable retrieval tool. In an agent setting, this can enable unintended outbound requests, SSRF-like access to internal endpoints, metadata service probing, or exfiltration through fetched content, especially because no warning or restriction is provided.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill documents use of external JSON filters and Lua filters, which are executable transformation mechanisms rather than passive format conversion features. In an agent environment, this materially increases capability from document conversion to local code execution, making it dangerous if untrusted filters or user-supplied paths are invoked.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Allowing templates, reference docs, or CSS to be specified by URL broadens the skill into remote resource retrieval and potentially untrusted content ingestion. This can trigger unexpected network access and make outputs depend on attacker-controlled remote resources, which is risky in automated agent workflows.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The example recommending --pdf-engine-opt=-shell-escape exposes a command path that can permit TeX engines to execute shell commands during PDF generation. This is a well-known high-risk setting for untrusted documents and can convert a formatting task into arbitrary command execution.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This section explicitly documents execution of external programs and Lua scripts as part of Pandoc processing, which is a direct code-execution surface. Within a skill intended for document conversion, exposing this without strong constraints makes the skill substantially more dangerous than its stated purpose suggests.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation encourages fetching a document from a URL but does not warn that this causes outbound network access. In agent usage, omitting such a warning can lead to invisible external requests and misuse against internal or sensitive endpoints.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The examples show --filter and --lua-filter usage without warning that they run local executables or scripts. Users may reasonably interpret them as normal formatting options, creating a dangerous mismatch between apparent and actual behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal