ClawHub

Hwp Batch Convert

Security checks across malware telemetry and agentic risk

Overview

This skill is a local Windows tool for batch-converting Hancom HWP/HWPX documents, with a clearly disclosed optional setting that can auto-approve a specific Hancom security prompt.

Install only if you need Windows Hancom HWP/HWPX batch conversion. Preview with --plan-only --json, confirm input and output folders, avoid --overwrite unless intended, and use --auto-allow-dialogs only for trusted files where you are comfortable bypassing repeated Hancom prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly documents an option to automatically click a security confirmation dialog that appears when Hancom HWP detects an access attempt. Even with a narrow title/text/button whitelist, this weakens a protective user-consent boundary and can normalize bypassing document security prompts during batch processing; if enabled on untrusted files, it could allow unintended document access or macro/automation actions without meaningful user review.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill can automatically click Hancom HWP security confirmation dialogs matching broad UI text such as '접근하려는 시도' and buttons like '모두 허용'. This weakens an explicit security control intended to warn users about document access or automation, and in a batch-conversion workflow it can silently approve risky operations across many files without a just-in-time warning or strong provenance check.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal