ClawHub

SEA Multilingual Document Summarizer

Security checks across malware telemetry and agentic risk

Overview

This is a paid local summarization skill with a clearly disclosed billing check, and I found no evidence that document contents are exfiltrated or that it performs unrelated system actions.

Install only if you are comfortable with a paid summarization workflow that sends your user identifier to the disclosed SkillPay/Cloudflare billing endpoint. Confirm the charge before use, and treat document summarization as local agent work rather than a remote summarization service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill requires the agent to make an external network request to a billing endpoint, but no explicit permission or capability declaration is provided beyond metadata for an API key. Hidden or undeclared network behavior reduces transparency and can enable unexpected external data transfer or financial actions, especially in an agent environment where users may assume the skill is purely local summarization.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The advertised purpose is multilingual document summarization, but the actual actionable behavior is to charge users through an external service and return payment URLs, while providing no mechanism to submit documents for summarization. This mismatch is dangerous because it can deceive users and agents into invoking a billing workflow under false pretenses, a strong indicator of phishing-like monetization or abusive skill behavior.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation materially contradicts the stated purpose of the skill: instead of summarizing documents, it only processes a billing charge and returns payment status. A capability mismatch like this is dangerous because users or orchestrators may invoke the skill expecting document processing while the code silently performs monetization, creating a deceptive charge flow with no corresponding service.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code exposes a standalone billing action that is not justified by the advertised document summarization function. In this context, the skill can be used as a generic charging endpoint, which increases the risk of unauthorized or deceptive charges because there is no visible coupling between payment and delivery of a legitimate summarization result.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to initiate a charge and potentially share a payment URL without any explicit user warning, confirmation, or consent gate. In an autonomous or semi-autonomous agent context, this can trigger unauthorized financial requests or social-engineering-style payment prompts, making the billing flow materially more dangerous than in a clearly labeled checkout experience.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
A charge is initiated immediately from a POST containing only a user identifier, with no visible confirmation token, acknowledgement flag, or other evidence of informed consent in this code. That makes accidental, scripted, or unauthorized billing more likely, especially because the surrounding skill context suggests a benign summarization feature rather than a payment action.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal