ClawHub

Pdf Toolkit

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed document toolkit that reads and writes user-supplied files, with a documented TTS feature that sends text to an external service.

Install only if you are comfortable with a local script reading and writing the document paths you provide. Avoid using the TTS command on confidential PDFs, DOCX files, or private text, because that content is sent to an external text-to-speech service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to execute a local script via `uv run` and states it can read from and write to arbitrary host paths, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: operators may treat the skill as lower risk than it is, while it actually has shell execution plus broad file access capabilities.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The implementation uses `edge_tts.Communicate(...).save(...)`, which sends supplied text to a remote Microsoft Edge TTS backend rather than performing synthesis purely locally. That conflicts with the skill's stated 'local script' purpose and can expose contents of PDFs, DOCX files, or arbitrary text to an external service without making that data flow explicit here.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code introduces network dependence for a capability presented as part of a local document-processing toolkit. In this context, users may reasonably expect documents to remain on-device, so hidden remote processing increases privacy and trust risk, especially for potentially sensitive PDF/DOCX content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Text extracted from user-provided files is passed into `edge_tts` with no visible warning, consent prompt, or sensitivity check in this file. Because the inputs may come from PDFs and DOCX documents, this can leak confidential content to an external service unexpectedly.

Scope Creep

Low
Category
Excessive Agency
Content
- `libreoffice` is an optional alternative to `pandoc` for `convert` because it can handle document conversions that `pandoc` may not support well.

## File Access And Network Behavior
- This skill operates on the file paths provided by the caller. It can read from and write to any host path the caller supplies; it is not limited to the OpenClaw workspace.
- The `/root/.openclaw/workspace/...` paths in the command examples show where the skill entrypoint lives. They do not restrict which files the skill can access.
- The `tts` command uses `edge-tts`, which sends the input text to an external text-to-speech service over the network to generate audio.
- Do not use `tts` with sensitive or private text unless you are comfortable sending that text off-host.
Confidence
89% confidence
Finding
not limited to

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal