ClawHub

html-editor

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill mostly does what it claims, but it can automatically use ambient OpenAI or Anthropic API keys to send page-derived CSS metadata to third-party LLMs without a clear opt-in or full data-sharing disclosure.

Review before installing. Use it only on HTML you are comfortable processing locally and, unless you explicitly want LLM labels, run it with OpenAI and Anthropic API keys unset or in a network-restricted environment. Avoid sensitive or proprietary pages until the skill adds explicit opt-in controls and clearer disclosure for external LLM calls, and check output paths carefully when using --force.

SkillSpector (11)

By NVIDIA

Tainted flow: 'api_key' from os.environ.get (line 268, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
import requests

        if api_type == 'anthropic':
            resp = requests.post(
                'https://api.anthropic.com/v1/messages',
                headers={
                    'x-api-key': api_key,
Confidence
95% confidence
Finding
resp = requests.post( 'https://api.anthropic.com/v1/messages', headers={ 'x-api-key': api_key, 'anthropic-version':

Tainted flow: 'api_key' from os.environ.get (line 268, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
content = resp.json()['content'][0]['text']
                return json.loads(content)
        elif api_type == 'openai':
            resp = requests.post(
                'https://api.openai.com/v1/chat/completions',
                headers={
                    'Authorization': f'Bearer {api_key}',
Confidence
95% confidence
Finding
resp = requests.post( 'https://api.openai.com/v1/chat/completions', headers={ 'Authorization': f'Bearer {api_key}',

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation exposes capabilities including environment access, file read/write, network use, and shell execution, but it declares no permissions or safety boundaries. This can lead to users or host agents invoking the skill without understanding that it may access API keys, modify files, or make outbound requests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The stated purpose suggests a local HTML editor transformation, but the documented behavior includes external LLM API calls, remote CSS fetching, broad HTML rewriting, compatibility gating, and local file output. This mismatch is security-relevant because operators may approve the skill for a narrow local transformation while it can also transmit derived data externally and perform broader system interactions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The function `_try_llm_labels` sends page-derived variable names, values, and selectors to third-party LLM APIs, which exceeds the declared purpose of converting static HTML into a visual editor. This creates a privacy and scope-expansion risk because input documents may contain sensitive branding, structure, or embedded content hints that users would expect to remain local.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code accesses `ANTHROPIC_API_KEY` and `OPENAI_API_KEY` from the environment and performs outbound API calls for a non-essential feature. That combination expands the skill’s privileges beyond its stated purpose and increases the risk of unexpected secret use and external data exposure in environments where such keys are present.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README suggests very broad natural-language invocation phrases such as '把这个 HTML 做成可编辑版' and '让我能不写代码改这个页面', which can overlap with ordinary user requests in multi-skill agent environments. This increases the chance of unintended auto-invocation on arbitrary HTML content, causing the skill to transform or export files without sufficiently explicit user intent or scope confirmation.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation says a new editable HTML file will be generated and even shows a force-overwrite flag, but it does not clearly warn about write operations and possible overwriting of the chosen output path. In agent-driven environments, unclear write semantics can cause unintended modification or replacement of user files.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill states that if API keys are present it may call external LLM services to generate labels, but it does not disclose that page-derived style or content metadata may be sent to third parties. This creates a data exposure risk, especially when processing proprietary or sensitive HTML documents.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file contains external LLM calls that package page-derived metadata, but there is no visible user-facing disclosure here that document metadata may be sent off-box. For a tool marketed as local HTML visual editing, silent remote processing can violate user expectations and lead to unintended sharing of sensitive page information.

Missing User Warnings

Medium
Confidence
71% confidence
Finding
The verifier writes attacker-controlled script content extracted from HTML to a temporary file and feeds it to the local Node.js runtime. Even though `node --check` performs syntax validation rather than intended execution, this still expands the attack surface to the behavior and vulnerabilities of an external interpreter and may surprise users processing untrusted content in an automated pipeline.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal