ClawHub

Upstage Builder

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Upstage app-building skill, but it can send chosen prompts and documents to Upstage and create deployed web apps, so users should control sensitive data and costs.

Install this only if you want an agent to build Upstage-based apps or document workflows. Use a dedicated Upstage API key with spending limits, confirm before deploying externally, and avoid sending confidential, regulated, or personal documents unless you have approval for Upstage processing and understand retention terms. Developers should not expose or log raw reasoning fields in production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (27)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill instructs the agent to read environment variables, write files under a fixed project root, read reference files, and make outbound network requests, but it declares no permissions or guardrails for those capabilities. This creates a capability/permission mismatch that can lead to over-broad execution in environments that rely on declared permissions for policy enforcement or user awareness.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The documentation explicitly states that the API returns `message.reasoning` as the model's internal chain-of-thought and shows it in a response example. Exposing hidden reasoning can leak sensitive prompt context, internal decision traces, and policy-relevant information, and it normalizes unsafe downstream handling of model internals.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation guidance is very broad and can cause the skill to trigger on generic 'build with Upstage' requests, including full app scaffolding and deployment, without strong exclusion boundaries. Over-broad activation increases the chance the skill is selected in contexts where file writes, deployment actions, or network calls are not actually intended by the user.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The example uploads the user-supplied document to an external Upstage API for parsing, but the script provides no explicit user-facing disclosure beyond implied behavior in code. In example or skill contexts, this can lead users to send sensitive documents off-host without understanding that their data leaves the local environment.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation includes file-upload and remote-processing examples that send documents to Upstage's external API, but it does not prominently warn that user documents leave the local environment and are transmitted to a third-party service. In an agent skill that may be used on sensitive business files, this omission can lead to unintentional disclosure of confidential data by users or downstream agents.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The documentation not only mentions but encourages use of internal reasoning in responses, including token accounting for reasoning tokens. In an agent-building skill, this is especially risky because developers may surface, persist, or rely on chain-of-thought in production systems, increasing prompt leakage and jailbreak/policy-bypass exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs users to send document contents, including potentially sensitive files, to a third-party remote API but does not include any privacy, consent, retention, or data-handling warning. In an agent skill context, this omission can lead developers to unknowingly transmit personal, confidential, or regulated documents off-system.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The document explicitly instructs users to upload local documents to a third-party API but does not include any privacy, consent, retention, or sensitive-data handling warning near the examples. Because these APIs process potentially confidential files and the same document later notes storage behavior and multi-day async retention, omission of a clear warning can lead to unintended disclosure of sensitive documents.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation and examples explicitly send supplied text to Upstage's external embeddings service but do not warn that prompts/documents may contain sensitive or regulated data. In a builder skill that helps construct RAG and application pipelines, users may copy real documents, queries, or customer content into these examples, creating an avoidable privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples instruct users to send document images and extracted contents to Upstage's remote API but do not warn that these documents may contain sensitive or regulated data. In an agent skill context, omission of a privacy/data-sharing notice can cause users to upload invoices, bank statements, or IDs without understanding the data leaves their environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The Python sample reads local files such as bank statements, base64-encodes them, and uploads them to a third-party API with no warning about handling sensitive personal or financial information. Because the example normalizes this workflow, downstream agents or developers may apply it to real confidential documents without proper consent, minimization, or retention review.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The async and prebuilt examples support uploading multiple documents and the page notes that async results are stored for 30 days, but there is no prominent warning about remote retention or multi-document privacy exposure. This increases the chance of bulk exfiltration of sensitive records when users follow the examples in automation or agent pipelines.

Ssd 3

Medium
Confidence
98% confidence
Finding
The file instructs users that reasoning text is included in responses and describes the field as the model's internal chain-of-thought. That guidance can lead integrators to display or store sensitive internal traces, creating unnecessary disclosure risks and unsafe product patterns.

External Transmission

Medium
Category
Data Exfiltration
Content
import requests

with open("document.pdf", "rb") as f:
    response = requests.post(
        "https://api.upstage.ai/v1/document-digitization",
        headers={"Authorization": "Bearer YOUR_API_KEY"},
        files={"document": f},
Confidence
85% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
# Step 1: Submit async request
with open("large_document.pdf", "rb") as f:
    response = requests.post(
        "https://api.upstage.ai/v1/document-digitization/async",
        headers={"Authorization": f"Bearer {api_key}"},
        files={"document": f},
Confidence
88% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
**curl:**

```bash
curl -X POST https://api.upstage.ai/v1/document-classification \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
84% confidence
Finding
curl -X POST https://api.upstage.ai/v1/document-classification \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
### Example Request

```bash
curl -X POST https://api.upstage.ai/v1/document-digitization \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -F "model=ocr" \
  -F "document=@/path/to/document.pdf"
Confidence
83% confidence
Finding
https://api.upstage.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
### Example Request

```bash
curl -X POST https://api.upstage.ai/v1/document-digitization \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -F "model=document-parse" \
  -F "document=@/path/to/document.pdf" \
Confidence
83% confidence
Finding
https://api.upstage.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**curl:**

```bash
curl -X POST https://api.upstage.ai/v1/document-classification \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
84% confidence
Finding
https://api.upstage.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
"Python is a great programming language."
]

response = requests.post(
    "https://api.upstage.ai/v1/embeddings",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
Confidence
80% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
"Python is a great programming language."
]

response = requests.post(
    "https://api.upstage.ai/v1/embeddings",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
Confidence
80% confidence
Finding
requests.post( "https://api.upstage.ai/v1/embeddings", headers={ "Authorization": "Bearer YOUR_API_KEY", "Content-Type": "application/json" }, json=

External Transmission

Medium
Category
Data Exfiltration
Content
### Example Request

```bash
curl -X POST https://api.upstage.ai/v1/embeddings \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
77% confidence
Finding
curl -X POST https://api.upstage.ai/v1/embeddings \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
### Example Request

```bash
curl -X POST https://api.upstage.ai/v1/embeddings \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
77% confidence
Finding
https://api.upstage.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
]

response = requests.post(
    "https://api.upstage.ai/v1/embeddings",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Content-Type": "application/json"
Confidence
80% confidence
Finding
https://api.upstage.ai/

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.30.0
numpy>=1.26.0
requests>=2.31.0
Confidence
93% confidence
Finding
openai>=1.30.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal