ClawHub

YMind Chat Visualizer

Security checks across malware telemetry and agentic risk

Overview

This chat visualization skill appears functional, but it saves full chats locally and includes browser automation meant to work around provider blocking, so it needs user review before installation.

Install only if you are comfortable with public share links being fetched, complete transcripts being saved under a local YMind workspace, and generated HTML loading third-party CDN assets. Avoid confidential or regulated chats unless you set a controlled output directory, review or delete raw_chat.json and graph.html afterward, and accept the platform-risk of the Claude/DeepSeek anti-bot fetching behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to use filesystem access, environment-dependent path discovery, and network-capable update/version checks and URL fetching, but it declares no corresponding permissions. That mismatch is dangerous because it hides the true execution capabilities from users and policy enforcement, making it easier for the skill to read/write local data and contact external resources without transparent consent boundaries.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script makes an outbound network request to GitHub to check for updates, which is unrelated to the core chat-visualization functionality described to users. While the destination is a legitimate API and the behavior is not overtly malicious, hidden network activity expands the skill's attack surface and can violate user expectations in restricted or privacy-sensitive environments.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The codebase contains undisclosed update-checking logic that is not reflected in the manifest's stated purpose. Even though it only queries the latest release metadata, undisclosed background communication is a security and transparency issue because users and operators cannot make an informed trust decision.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The Claude fetcher explicitly uses a headed browser and anti-automation evasion (`--disable-blink-features=AutomationControlled`, overriding `navigator.webdriver`) to bypass Cloudflare-style bot protections. That goes beyond ordinary content retrieval for a visualization skill and creates legal, policy, and abuse risk because the code is designed to circumvent an access-control mechanism rather than rely on supported APIs or explicit user export flows.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The DeepSeek fetcher also relies on the same anti-automation helper to work around blocking, meaning the skill is intentionally engineered to evade provider defenses. In this skill context, that is risky because it normalizes bypass behavior for third-party services and may expose users or operators to account, compliance, or platform enforcement issues.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This helper centralizes anti-bot bypass behavior by launching a non-headless browser, spoofing a normal browser profile, and masking WebDriver detection. Because the skill's stated purpose is merely to visualize public shared chats, embedding generic anti-automation evasion is disproportionate and increases the chance the tool will be used to circumvent protections on services that did not intend automated scraping.

Context-Inappropriate Capability

Low
Confidence
93% confidence
Finding
The page loads third-party resources from Google Fonts, D3 CDN, and html2canvas CDN. Because this skill processes chat transcripts, opening the generated HTML causes the user's browser to contact external domains, leaking metadata such as IP address, user agent, timing, and possibly referer context without any clear necessity disclosure; additionally, remote scripts create a supply-chain risk if the CDN content changes or is compromised.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README describes that raw chat content is saved locally as `raw_chat.json`, but it does not prominently warn users that potentially sensitive conversation data will be persisted on disk in clear form. In the context of a skill designed to ingest AI chat transcripts, users may paste or fetch highly sensitive material, so insufficient disclosure increases the risk of accidental retention, local exposure, backup leakage, or unintended sharing of generated artifacts.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explains that conversations are fetched and saved under a workspace, but the quick-start flow does not clearly foreground that full chat contents, including pasted transcripts or fetched share-page data, will be written to disk. In a skill specifically designed to process potentially sensitive AI conversations, this can lead users to disclose confidential material without realizing it will persist locally in raw and derived files.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The README notes that the generated HTML loads fonts and JavaScript libraries from CDNs, but it does not prominently warn that opening the visualization will trigger outbound network requests. Because the rendered page may correspond to sensitive conversation data, users could wrongly assume the artifact is fully local and safe to open offline, creating avoidable privacy and metadata leakage risks.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation description is broad enough to trigger on generic requests like summarizing or understanding a chat, even when the user did not ask for this specific skill. In this skill's context, over-broad triggering is more dangerous because activation can lead to local file creation, optional dependency installation guidance, browser automation, and fetching third-party share links, expanding the chance of unnecessary data handling or external access.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script writes fetched chat transcripts to disk by default, which can persist sensitive conversation data beyond the user's immediate task and expose it to other local users, backups, logs, or later compromise. In a tool specifically designed to ingest AI chat content, persistent storage raises real confidentiality risk because shared chats may still contain personal, proprietary, or security-relevant information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
External network resources are fetched automatically when the HTML is opened, but the UI does not disclose that viewing a transcript visualization triggers requests to third parties. In the context of a chat-transcript visualizer, users may reasonably expect sensitive conversation handling to stay local, so undisclosed outbound requests increase privacy risk and user surprise.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal