Back to skill

Security audit

pageclaw

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed page-to-HTML generation skill, but users should expect local file creation and some optional external network use.

Install only if you are comfortable with the skill creating or updating files in the current project, especially page-story.md, docs/plans files, and index.html. Treat reference URLs as explicit permission for the agent to fetch those pages, and be aware generated pages may load fonts or icons from third-party CDNs unless you modify the output to inline or vendor those assets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (46)

Lp3

Medium
Category
MCP Least Privilege
Confidence
78% confidence
Finding
The skill appears able to read and write files while not declaring those capabilities. Undeclared file access weakens reviewability and consent because users and tooling cannot accurately understand what the skill may touch before execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose says this skill converts page-story markdown into a static HTML page, but the analyzed behavior indicates materially different actions, including searching unrelated design-system knowledge bases and writing other artifacts. This mismatch prevents informed consent and can cause the skill to operate on data or produce outputs the user did not request.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill instructs the agent to fetch arbitrary user-supplied reference URLs and to depend on third-party CDN-hosted SVG assets. Arbitrary outbound fetches can leak browsing context or interact with attacker-controlled endpoints, while CDN dependencies introduce integrity, privacy, and availability risks into generated output.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill explicitly documents fetching images from Pexels/Unsplash, introducing external network access that is not clearly justified by a design-token/design-system role. That can cause unintended third-party data disclosure, policy bypass, or surprise outbound requests during execution, especially in an automated pipeline where users may not realize external services are being contacted.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The plan explicitly adds third-party network fetches for social icons via jsDelivr/Simple Icons in a skill whose stated purpose is to transform a local markdown brief into a static HTML page. This expands the skill's capabilities beyond local rendering, introduces privacy/supply-chain risk, and can cause generated pages to make unexpected outbound requests whenever viewed.

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
The page loads Google Fonts from third-party domains, which is unnecessary for a self-contained static HTML output and causes user requests, IP addresses, user agents, and referrer context to be disclosed to external services. While not an active code-execution issue, it creates avoidable privacy leakage and weakens the portability and determinism expected from local static page generation.

Context-Inappropriate Capability

Low
Confidence
96% confidence
Finding
The page fetches icon assets from jsDelivr at runtime even though the stated goal is generation of a static page. This leaks page visits to a third party and introduces unnecessary supply-chain and availability dependencies into otherwise simple content.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The page loads fonts and icons from external providers (Google Fonts and jsDelivr), which introduces third-party network access, supply-chain dependency, and external request leakage into what is otherwise a static local page. In the context of a page-generation skill, this is not an immediate code-execution flaw, but it does expand the trust boundary and can expose visitor metadata or break offline/reproducible builds.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The implementation plan explicitly instructs loading icon assets from a third-party CDN, adding an unnecessary external dependency to what should be a self-contained static page build. This creates privacy, integrity, and availability risk: page loads will contact a third party, can fail offline, and depend on externally served content that may change or be tampered with.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The plan instructs the generated static page to fetch SVG icons from an external CDN at runtime, introducing an unnecessary third-party dependency for a page that could otherwise be fully self-contained. This creates privacy, integrity, and availability risk: visitors leak metadata to the CDN, the page can break if the CDN is unavailable, and compromised or changed remote assets could alter rendered content.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to fetch and analyze arbitrary user-provided URLs as part of a page-design workflow, which expands its authority from local markdown-to-HTML generation into network access. This can expose the environment to unintended outbound requests, privacy leaks, and server-side request abuse if internal or sensitive URLs are supplied, especially because the fetch is framed as a normal pipeline step rather than an exceptional action.

Context-Inappropriate Capability

Low
Confidence
87% confidence
Finding
Mandating Simple Icons via a third-party CDN introduces unnecessary external dependency and runtime network access for a deliverable that could be fully self-contained. This creates privacy leakage to the CDN, availability/supply-chain risk, and breaks the expectation of a purely local static page build.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill’s stated purpose is local markdown-to-HTML generation, but its workflow expands scope to external website fetching and CDN asset use. That broadens the trust boundary and can expose user activity, ingest untrusted remote content, or create outputs that depend on third-party resources not implied by the description.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The instruction to fetch arbitrary user-provided reference URLs introduces network access beyond the core file-conversion task. This can be abused for SSRF-like access to internal resources if URL handling is not constrained, and even when limited to public sites it unnecessarily exposes browsing/fetch capability to untrusted input.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file’s declared behavior and the surrounding skill context are materially misaligned: the outer skill is a page-story markdown to static HTML pipeline, while this content is a broad UI/UX toolkit spanning many domains and stacks. That kind of scope drift is dangerous because it can cause the wrong skill to be invoked for unrelated tasks, expanding the agent’s effective authority and increasing the chance of unintended actions or unsafe recommendations.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs users to install Python system-wide across multiple operating systems, which is an environment-modifying action not justified by a documentation/advisory skill of this type. Even if not overtly malicious, it normalizes privileged system changes and can lead an agent or user to perform unnecessary package installation, increasing attack surface and operational risk.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The file simultaneously claims support for many stacks while later asserting React Native as the project's only stack, indicating internal contradiction about scope and intended behavior. Such ambiguity increases the likelihood of incorrect tool usage, bad assumptions by downstream agents, and accidental execution of instructions outside the intended environment.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file advertises a page-generation core for turning page-story markdown into polished HTML, but the implementation is a BM25 search engine over local UI/UX CSV files. This capability mismatch is dangerous because downstream agents or users may trust the manifest and invoke the skill in workflows that assume code generation, validation, or content transformation, leading to incorrect behavior, policy bypass opportunities, or hidden functionality not subject to expected review.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The primary exported functions only perform domain detection and CSV search, not the claimed automated design, build, and quality pipeline for webpage generation. In an agent ecosystem, this kind of deceptive or mislabeled behavior increases security risk because orchestration logic may route sensitive or trusted tasks to a component whose real behavior is different from what reviewers and users expect.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The function writes files and directories to a caller-controlled output location without clear confinement to a safe workspace, and it also derives path components from project/page names with only minimal normalization. In an agent context, unexpected persistence can overwrite or scatter files outside the intended build output, creating integrity and data-handling risks that exceed the skill's stated purpose.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The file advertises and implements a UI/UX search and design-system generator, while the declared skill is supposed to convert page-story markdown into static HTML. This capability drift is dangerous because it creates hidden or undocumented behavior that can bypass user and platform expectations, expanding what the skill can do beyond its stated trust boundary.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script exposes a general-purpose command surface for domain search, stack search, design-system generation, and persistence that is broader than the skill's stated page-story-to-HTML purpose. Even without obvious code execution, this undocumented functionality increases attack surface and may let an agent invoke unintended behaviors, read from unexpected datasets, or write files in contexts where only page rendering was expected.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger description is broad enough to match many generic requests for personal, academic, or portfolio pages, increasing the chance the skill activates outside its narrow intended workflow. Overbroad activation is risky because this skill can write files and initiate multi-step operations automatically.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill creates a new page-story.md in the user's working directory automatically when no input file is found. Silent file creation can surprise users, modify repositories, and create opportunities for accidental overwrite or unwanted state changes during mere discovery or preview flows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow writes multiple artifacts, including planning documents and index.html, but the description does not clearly disclose these side effects. Hidden write behavior undermines user expectations and may alter project state in ways that are hard to review, especially when output paths are in the project root.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.