ClawHub
Back to skill

Security audit

Doc Snapshot Agent

Security checks across malware telemetry and agentic risk

Overview

The skill’s document-illustration workflow is mostly coherent, but it can use website credentials and persist reusable knowledge about authenticated sites without strong scoping or retention controls.

Install only if you are comfortable letting the agent browse specified sites, use environment-provided credentials, send generated-image prompts to OpenRouter, and store local screenshot outputs. Use test or least-privilege accounts, keep outputs and site-knowledge directories dedicated to this skill, avoid recording real secrets in notes, review screenshots before sharing, and delete persistent site knowledge when it is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill requires access to environment variables, file writes, and network operations, but these capabilities are not declared in a permissions model. That makes the skill's actual trust boundary opaque and increases the risk of users invoking a workflow that can read credentials, modify local files, and interact with external services without clear prior consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior promises controlled Markdown illustration, but the instructions also authorize direct external API usage and execution of a local image-generation script. This mismatch can cause users or orchestration systems to approve the skill under a narrower trust assumption than the skill actually requires, enabling unexpected code execution and data egress.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to run external shell commands such as npx and python. Even if intended for setup or image generation, this expands the attack surface to arbitrary package execution and local interpreter use, which is more dangerous than a pure document-processing workflow.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Requiring execution of a bundled Python script introduces local code-execution capability that can access the filesystem, environment variables, and network. In a skill that may process untrusted document content and prompts, this creates a direct path for unintended side effects or exfiltration if the script or its inputs are not tightly constrained.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The special-cases section explicitly directs shell execution of Python commands for generated images, including passing free-form descriptions into a local script. This creates a repeated, documented execution path for local code and external API access that exceeds a narrowly scoped Markdown transformation task.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The reference explicitly instructs the agent to read website login credentials from environment variables and use them in browser automation. For a document-illustration skill, this expands scope into authenticated account access and secret handling, which increases the chance of unintended credential use, access to private data, and screenshot capture of sensitive content if the target site or document is untrusted or loosely specified.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The reference explicitly instructs the agent to persist site knowledge and user-specific learnings outside the skill package, creating a durable data store beyond the narrow task of illustrating documents. This expands the skill into ongoing collection and retention of browsing context and potentially sensitive operational data without clear minimization, consent, or retention controls.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This section directs collection of login methods, authenticated navigation paths, and page mappings for future reuse, which materially exceeds simple screenshot assistance. Even though it does not directly request secret values, documenting credential variable names, auth flow details, and authenticated access patterns creates reusable reconnaissance that could expose sensitive internal application structure or facilitate later misuse.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The exploration workflow prescribes broad site discovery, validation of many page types, and ongoing knowledge maintenance rather than targeted navigation for a specific screenshot task. That scope creep increases the chance of unnecessary access, collection of unrelated site structure, and retention of operational intelligence about authenticated environments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly instructs users to provide website credentials and API keys via environment variables, but it does not warn about sensitive-data handling, storage, logging, or privacy implications. In a skill that automates browser actions and image generation, this omission increases the chance that secrets are used in unsafe environments, exposed in logs, screenshots, process listings, or written into generated artifacts.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill will create directories and write multiple output files, including a default path under /tmp, without an explicit user-facing warning about those write operations. Silent file creation and modification can surprise users, overwrite expected outputs, or store sensitive material in locations they did not intentionally approve.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill supports logging into websites with environment-provided credentials and capturing screenshots of authenticated pages, but it does not prominently warn about privacy risks or sensitive data exposure in those screenshots and outputs. This can lead to accidental capture of private dashboards, personal information, team data, or confidential business content into local files and caches.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The sign-in guidance normalizes handling credentials for arbitrary sites but does not prominently warn about the sensitivity of secrets, least-privilege use, account scope, or the risk of exposing private data during automated browsing and screenshot capture. In this skill context, that omission can lead operators to use real credentials without adequate controls, increasing the chance of over-collection or accidental disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document instructs writes to environment-provided directories outside the skill package but provides no user warning, confirmation step, or explanation of what will be stored there. Silent persistence outside the expected skill boundary can violate user expectations, create hidden state, and retain sensitive browsing-derived information across tasks.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The instruction to force English if the article is English directs the agent to override site language behavior without confirming user preference or authorization. While lower severity than credential or persistence issues, it can violate locale/user-setting expectations and produce actions outside the minimum necessary behavior.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.