Back to skill

Security audit

pdfelement-skill

Security checks across malware telemetry and agentic risk

Overview

This PDF automation skill is mostly aligned with its purpose, but it gives an agent broad control over local document workflows and desktop sessions without enough safeguards.

Install only if you intend to let OpenClaw launch PDFelement against local PDFs. Use copies of important files, confirm exact file paths and operations before running, avoid confidential files for translation unless you understand PDFelement's data handling, and do not share generated `wspet://` URLs, terminal output, or diagnostic logs because they may reveal private paths or PDF passwords.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to reuse DISPLAY, XAUTHORITY, and DBUS_SESSION_BUS_ADDRESS from another live Linux desktop session. Those values are effectively session credentials/capability handles, and borrowing them lets the agent drive GUI actions in a user's session without a clean authorization boundary.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This repeats and operationalizes the same unsafe pattern: capturing active desktop-session variables so an agent can inject into the user's GUI context. In practice, this can enable unintended file access, automated clicks/actions, and abuse of the user's privileges in a way that bypasses normal session isolation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill mandates Windows launches with -autoexec, which auto-applies operations after a delay, but the description does not warn users that actions may execute automatically once files are loaded. That creates a safety and consent problem, especially for transformations, security changes, or batch operations affecting real documents.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The operation catalog includes destructive or irreversible actions such as deleteBlankPages, batchPrint, sign, and security changes without prominent warnings, confirmation requirements, or rollback guidance. In an agent workflow, omission of these safeguards increases the chance of accidental data loss, unintended disclosure via printing, or permanent document modification.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The `-autoexec` feature enables operations to run automatically after files are preloaded, and the documentation actively recommends using it for OpenClaw-triggered workflows. In an agent skill context, this reduces meaningful user confirmation and can cause unintended document conversion, OCR, translation, optimization, printing, or other modifications on local files with only a short countdown.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples embed PDF passwords directly in XML and command-building examples without a prominent warning, which encourages insecure handling of secrets. In practice this can expose passwords through docs, shell history, process arguments, logs, screenshots, clipboard capture, or agent traces when users follow the examples literally.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The templates launch file-conversion and modification workflows that generate new documents and may place outputs beside the source PDF or in user-configured locations, but the warnings are minimal and easy to miss. In an agent-driven context, this can cause unintended writes, overwrite confusion, or sensitive derivative files being left on disk where users do not expect them.

Missing User Warnings

High
Confidence
95% confidence
Finding
The Translate PDF workflow is presented like a local document action even though translation features commonly rely on remote services or cloud-backed processing. Without a privacy warning, users may expose confidential document contents, metadata, or extracted text to third parties, which is especially risky in a skill marketed for local PDF operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This diagnostic log records full file paths, registry/protocol details, and local executable locations to disk without clear user consent or masking. Those details can expose sensitive document names, filesystem layout, and environment information that could aid local attackers or leak privacy-sensitive data through log collection and support bundles.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script accepts a password parameter and embeds it into generated XML for each file, which then becomes part of the command payload sent to the custom protocol handler. Even if not printed directly, this expands the password's exposure surface into process arguments, memory, downstream app handling, and potentially logs or crash artifacts.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The reset logic forcibly kills existing PDFToolbox processes to guarantee a clean state, but it does so without confirming whether the user has unsaved work in those sessions. In a desktop productivity context this can cause denial of service and data loss for other active documents or unrelated user tasks.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
---

#### `-autoexec`
Auto-execute the operation after a 10-second countdown when files are loaded and the Apply button is available.

**Version:** 12.1.14+
Confidence
94% confidence
Finding
Auto-execute

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.