ClawHub

FlowVisualExplainer

Security checks across malware telemetry and agentic risk

Overview

This skill mainly creates visual HTML files, but it also includes public web sharing and remote resource loading that users should review before installing.

Install only if you are comfortable with a skill that creates local HTML files, opens them in a browser, loads some third-party web resources when viewed, and can publish generated HTML to a public Vercel URL. Do not use the share/deploy path for pages containing secrets, private code, internal architecture, customer data, or confidential plans unless you have reviewed and approved the exposure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill metadata and top-level description present the capability as local HTML generation and browser opening, but later instructions add public deployment via Vercel. That hidden expansion of scope is security-relevant because an agent or user may assume outputs stay local when the skill can instead publish potentially sensitive content to a public URL.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Including a deployment path to Vercel materially changes the trust boundary from local file creation to third-party publication. In a skill intended for visual explanations, users may include code, architecture, diffs, or plans that are confidential, so publishing them can cause unintended data disclosure.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This document expands from CSS/HTML guidance into instructing use of an external AI image-generation command (`surf gemini --generate-image`). In a skill that automatically produces self-contained HTML and may run helper tooling, introducing an unnecessary external generation capability increases attack surface around data exfiltration, unreviewed network use, cost, and unsafe prompt propagation from user content.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This script adds public deployment behavior that goes beyond the skill's stated purpose of generating local HTML and opening it in a browser. It copies arbitrary generated HTML into a temporary directory and invokes a Vercel deployment helper, producing a publicly reachable URL with no authentication, which can expose sensitive code, architecture diagrams, plans, or embedded data to the internet.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The remote publication path is not necessary for the core function of visually explaining content and materially increases risk by exporting local output to a third-party service. In this skill context, outputs may contain proprietary source code, internal architecture, diffs, or planning details, so silent or convenience-oriented deployment creates a significant confidentiality risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The template fetches Google Fonts and later imports Mermaid and ELK from public CDNs, which introduces an unnecessary external dependency chain for a local rendering skill. This creates supply-chain and privacy risk: a compromised CDN, dependency update, or network interception could execute attacker-controlled code in the browser when the generated HTML is opened.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill advertises self-contained HTML output, but this template requires external resources at runtime, so the security model is materially different from what users are told to expect. That mismatch can cause users to open generated files under the assumption they are offline-safe, when in fact they make outbound requests and execute remote JavaScript.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The template loads Google Fonts from third-party origins, which contradicts the skill's promise of self-contained HTML and creates external network dependencies. When generated files are opened locally, they can leak user metadata such as IP address, user agent, timing, and referrer-related context to external providers, and rendering now depends on remote availability and integrity.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Importing Mermaid from jsDelivr means every opened deck executes active JavaScript fetched from a third-party CDN, not just passive assets. This breaks the self-contained security model and introduces supply-chain and privacy risk: a compromised CDN resource or unexpected version behavior could execute arbitrary code in the viewer's browser context.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions are broad enough to activate on common requests like 'explain' or routine table generation, increasing the chance the skill runs when the user did not intend file creation or browser opening. Over-broad activation is dangerous here because the skill has side effects and can steer ordinary conversations into local output generation or eventual publication workflows.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Phrases like 'explain', 'review this diff', 'project recap', and 'fact-check this doc' are ambiguous and not tightly bound to visual rendering. Because the skill also writes files and opens a browser, ambiguous matching can cause unexpected side effects or expose sensitive project material to downstream rendering and sharing flows.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The command table maps everyday phrases such as 'share this' and broad review commands to high-impact actions without sufficient specificity. This raises the risk of accidental invocation, especially because 'share' can lead to deployment and public exposure rather than a harmless formatting transformation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs automatic file output and browser opening as default behavior without a user-facing warning or consent step. Unexpected local side effects are risky in agent environments because they may reveal sensitive content on-screen, create artifacts on disk, or disrupt the user's workflow without clear authorization.

Missing User Warnings

High
Confidence
96% confidence
Finding
The deployment instructions describe publishing generated HTML to a live URL but omit any explicit privacy, confidentiality, or permanence warning. In the context of diagrams, diff reviews, plan reviews, and project recaps, the rendered content may include internal architecture, code-derived insights, or sensitive business information that becomes publicly accessible if uploaded.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script's header advertises instant live sharing with 'no auth required' but does not present a runtime warning or confirmation before uploading the supplied HTML. That makes accidental disclosure more likely, especially because users may assume the skill only writes to ~/clawd/output/diagrams/ and opens files locally based on the metadata.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal