ClawHub

everything to markdown 中文版

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward document-to-Markdown skill, but users should be mindful that converted files, media, URLs, and metadata may become visible to their agent workflow.

Install in an isolated Python environment when possible, review the MarkItDown package/version, and only convert files, media, or URLs whose extracted text, subtitles, transcripts, and metadata you are comfortable exposing to the agent and any downstream LLM/RAG systems.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README advertises OCR, audio transcription, and YouTube subtitle extraction but does not disclose whether these features may send user content to external services, fetch remote data, or process sensitive files. In an agent/LLM workflow, users may pass confidential documents or media automatically, so missing privacy and network-use warnings can lead to unintended data exposure and unsafe deployment assumptions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly promotes processing YouTube URLs and audio inputs but does not warn that these operations may require network access or send user-provided content and metadata to external services. In an agent workflow, that omission can cause unintended disclosure of sensitive URLs, media, transcripts, or metadata because users may assume the conversion is purely local.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The examples show writing Markdown outputs, including batch processing that creates sibling .md files, but the skill does not warn that these commands modify the filesystem and may overwrite or create files unexpectedly. In automated agent contexts, missing disclosure about write behavior can lead to accidental data loss, workspace pollution, or unsafe execution in sensitive directories.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal