ClawHub
Back to skill

Security audit

Local Markdown Editor with Live Preview 本地Markdown网页编辑器

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local Markdown editor, but while it is running its browser-accessible server can read, write, and stop local resources with too little protection.

Review before installing or running. Use only with non-sensitive files unless it is updated to bind strictly to localhost, disable broad CORS, add a per-session token or CSRF protection, restrict reads and writes to an approved workspace or explicit file selection, and remove automatic shutdown on tab hide/unload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior exposes a localhost HTTP service that can read and write arbitrary local files via API and can be driven through URL/query parameters. Even though it is described as local-only, local web apps are still attackable by other local processes or by malicious web pages if CORS is permissive, making arbitrary file access and server control materially risky.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The `/api/shutdown` endpoint is completely unauthenticated and will terminate the process on any GET request. In a local web app this is still dangerous because any local user, malicious webpage, or cross-origin script can trigger a denial of service against the editor, especially since CORS is enabled globally.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The `--force` restart logic sends an unauthenticated HTTP request to `http://host:port/api/shutdown` and assumes anything listening there is this application. If the chosen host/port points to another service that happens to expose that path, this code can terminate or interfere with an unintended service.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The UI exposes a server shutdown control even though the skill is described as a local markdown editor. Giving a browser page direct ability to terminate the backend expands scope from document editing into service lifecycle control, which can be abused for denial of service or accidental interruption if a user clicks it or if other script execution occurs in the page.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The page automatically sends shutdown requests when it is hidden, unloaded, or closed, meaning ordinary browsing behavior can terminate the backend without explicit consent. This creates a built-in denial-of-service condition where tab switching, navigation, browser close, or embedding behavior can unexpectedly kill the service for the current or other local users.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill claims to be a markdown editor, but the code also performs backend lifecycle control by invoking shutdown requests. This hidden expansion of capabilities increases risk because users and reviewers may not expect the editor page to be able to stop the server, making misuse or unintended service termination more likely.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The file-write API accepts arbitrary paths and content without authentication, authorization, or path restrictions, allowing any party that can reach the server to overwrite files accessible to the process. In this skill's context, a markdown editor only needs controlled local file operations, so exposing unrestricted writes over HTTP materially increases the risk of local file tampering or abuse from a malicious webpage if the server is reachable.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The force-restart behavior can silently issue a shutdown request to another local server instance without meaningful validation or disclosure beyond a console message. This creates an avoidable denial-of-service path and compounds the risk introduced by the unauthenticated shutdown endpoint.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Shutdown requests are triggered automatically during page hide/unload without a user-facing warning at the moment the action is taken. This violates user expectations and can cause silent data loss or service interruption, especially if the shutdown races with pending saves or preview requests.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.