ClawHub

Stirling Pdf

Security checks across malware telemetry and agentic risk

Overview

The skill is a mostly coherent Stirling-PDF API helper, but one included script can send sensitive PDFs to an unexpected hard-coded private-network address over HTTP.

Install only if you control and trust the Stirling-PDF server. Prefer the localhost-based pdf-toolkit.sh path, set the endpoint explicitly, avoid public or unknown servers, and do not process confidential PDFs or passwords through the included stirling-pdf.sh script unless you have reviewed and changed its default URL and shell handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is described as a 'complete local PDF toolkit', but the implementation sends files to a Stirling-PDF HTTP API service. This mismatch can mislead users into exposing sensitive PDFs to a network service they may not realize is involved, especially since the default transport is plain HTTP to localhost and the endpoint is configurable.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Allowing an arbitrary STIRLING_BASE_URL means the tool can transmit PDFs and related data to any remote endpoint, which exceeds the expected scope of a local PDF helper. In a skill context, this broadens the trust boundary and creates an easy path for data exfiltration if the environment variable is changed maliciously or accidentally.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is described as a 'complete local PDF toolkit', but the script actually transmits user PDFs to a network API endpoint defined by STIRLING_API_URL, defaulting to a private HTTP service. This is a significant trust and disclosure issue because users may provide sensitive documents believing processing is local, while the files are instead sent over the network, potentially unencrypted.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script requires an API key from the environment and uses it to authenticate to a remote service, which contradicts the expectation created by a 'local' toolkit. While reading secrets from environment variables is common, in this context it reinforces that the tool depends on a remote authenticated service and may mislead users about where data is processed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script transmits PDF contents and, for encrypt/decrypt operations, passwords to the API service over the network without warning the user. Because the default URL uses http://, credentials and document contents may be exposed to interception or logging, and even localhost assumptions break down in containerized or proxied environments.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The OCR command uploads a local PDF to the remote API without any warning, consent prompt, or visible disclosure to the user. OCR commonly processes sensitive documents, so silent transmission can expose private content to network interception, server compromise, logging, or unintended retention.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The merge command silently uploads multiple local PDFs to the remote service, increasing the volume and sensitivity of exposed data. It also builds the curl invocation as a shell string and executes it with eval, which can amplify risk if filenames or environment values contain shell metacharacters, potentially leading to command injection in addition to undisclosed exfiltration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The compress command sends a local PDF to the remote API without informing the user, despite the skill presenting itself as local. Compression may be applied to confidential documents, so undisclosed network transfer creates confidentiality and compliance risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The remove-blanks command uploads the input PDF to a network service without notifying the user. Because the endpoint defaults to plain HTTP on a private IP, the document contents and API key may be exposed to interception or misuse within the network environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal