ClawHub

Convert Screenshot Any

Security checks across malware telemetry and agentic risk

Overview

The package is not malicious, but its stated screenshot purpose does not match its main instructions and it includes unclear write/API-key documentation.

Install only after the publisher clarifies the real purpose, removes the generic converter instructions or updates the manifest, and explains whether API_KEY and write mode are actually required. VirusTotal and the platform static scan were clean, so this is a review concern about coherence and disclosure rather than confirmed malware.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest advertises UI screenshot conversion, while the documented behavior instead describes generic data/file transformation. In an agent ecosystem, this kind of semantic deception or drift is dangerous because routing, permission expectations, and user trust depend on accurate skill identity.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The core position and execution steps clearly instruct the agent to parse text-based structured formats rather than analyze screenshots. This contradiction increases operational risk because downstream systems may grant use based on the claimed UI-image purpose, while the actual instructions steer the model toward broader content transformation behavior.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The file defines `_main()` twice, and the later definition silently overrides the earlier test-runner implementation. Because the `if __name__ == '__main__': sys.exit(_main())` call appears before the second definition, direct script execution may still use the first version, but any later import or reuse of `_main` in-process will resolve to the overridden function, which calls an undefined `_run_unit_tests()` and changes program behavior unexpectedly. In a testing/security-gating context, this can break or bypass expected validation flows and create inconsistent results between execution modes.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
Documenting a write mode without warning that it may modify files or data can mislead users into invoking state-changing behavior without informed consent. In an agent skill ecosystem, ambiguous write semantics increase the risk of unintended file modification, data corruption, or automation misuse, especially when the README already appears templated and misaligned with the declared purpose.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal