ClawHub

mm-output

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, but it needs review because it can send full user documents and images to configurable third-party LLM endpoints and its installer makes broad system changes.

Install only if you are comfortable with your PDFs, Markdown, tables, captions, and images being sent to the configured LLM/image-generation providers. Avoid processing confidential or regulated documents unless those providers are approved for that data. Review .env carefully, keep API keys out of version control, prefer trusted/pinned install methods over curl-to-shell, and use simple/local rendering when remote LLM processing is not needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (23)

Tainted flow: 'payload' from pathlib.Path.read_text (line 458, file read) → requests.post (network output)

High
Category
Data Flow
Content
last_err: Exception | None = None
        for _ in range(max(1, attempts)):
            try:
                resp = requests.post(endpoint, headers=headers, json=payload, timeout=120)
                if resp.status_code < 200 or resp.status_code >= 300:
                     raise RuntimeError(f"HTTP {resp.status_code}: {resp.text[:800]}")
Confidence
91% confidence
Finding
resp = requests.post(endpoint, headers=headers, json=payload, timeout=120)

Tainted flow: 'endpoint' from os.getenv (line 380, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
for _ in range(max(1, attempts)):
                try:
                    r = requests.post(endpoint, headers=headers, json=body, timeout=60)
                    if r.status_code < 200 or r.status_code >= 300:
                        raise RuntimeError(f"HTTP {r.status_code}: {r.text[:500]}")
                    data = r.json()
Confidence
72% confidence
Finding
r = requests.post(endpoint, headers=headers, json=body, timeout=60)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill documentation describes capabilities that access environment variables, local files, the network, and shell commands, but no permissions are declared. This creates a transparency and governance gap: users or platforms may grant broader trust than intended, while the skill can still drive sensitive operations such as reading API keys, invoking installers, and writing outputs.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The installer downloads and immediately executes a remote shell script with `curl ... | sh`, which gives the remote server full code execution during installation. For a document parsing/conversion skill, this adds supply-chain risk that is broader than the core function and is especially dangerous because compromise of the upstream host, DNS, TLS trust chain, or delivered script would run arbitrary commands on the user's machine.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The converter sends extracted document content, including headings, paragraphs, tables, highlights, and references, to an external LLM service for slide planning. In a document parser/converter skill, this creates a real data exfiltration/privacy risk because user-supplied document contents may contain sensitive or proprietary information and are transmitted off-box without any consent gate, minimization, or redaction.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This code sends full prompt content, document-derived text, and attached reference images to a remote endpoint defined by an environment variable. That creates a real data-exfiltration risk if the documents contain sensitive or proprietary content, especially because the endpoint may be a proxy service rather than a first-party provider.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code sends up to 6000 characters of input content to an external LLM service using environment/API credentials, which creates a real data-exfiltration/privacy risk if the parsed documents contain sensitive material. In the context of a parser/converter skill, this is more concerning because users may reasonably expect local transformation, not transmission of document content to a third-party model endpoint configured via environment variables or custom base_url.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly tells users to put API keys into a .env file but does not warn that the file contains secrets, should be excluded from version control, and should have restricted access. In a developer-facing skill that integrates with external LLM providers, this omission increases the chance of accidental credential leakage through git commits, shared archives, or logs.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The documentation instructs users to pipe a remotely fetched script directly into the shell with no integrity verification, pinning, or warning. If the remote host, transport, or script distribution path is compromised, arbitrary code will run immediately on the user's machine during setup.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file provides extensive menstrual-health, nutrition, and symptom-relief guidance with quantitative claims, contraindications, and condition-specific recommendations, but it does not include a clear disclaimer that the content is not medical advice and may be unsafe for some users. In this context, users may rely on inaccurate or non-generalizable health guidance, delay professional care, or follow recommendations that conflict with their conditions, medications, allergies, pregnancy status, anemia severity, or other medical needs.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This section provides concrete medical treatment recommendations, including named drugs, traditional medicine regimens, and procedure-selection guidance, without a prominent upfront warning that the content is not a substitute for professional medical diagnosis or treatment. In a skill that parses and presents content as polished poster-style output, users may interpret the advice as authoritative and act on it without clinician oversight, creating meaningful risk of delayed diagnosis, inappropriate self-medication, or harmful treatment decisions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The file gives readers a concrete self-test for edema ('凹陷性水肿测试') and symptom interpretation without any warning that the content is educational only and not a substitute for medical evaluation. This can encourage self-diagnosis, delay care for serious causes such as heart, kidney, liver, or thrombotic disease, and create unsafe reassurance or unnecessary anxiety.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script performs `apt-get update`, installs many system packages, modifies the Python environment, and installs Playwright browsers without any confirmation or dry-run step. While common in convenience installers, this can surprise users, requires elevated privileges, and increases the blast radius if the script is run in the wrong environment or as root.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function sends parsed paper content and figure context to Gemini-based external services for image generation without any explicit in-function consent, warning, or policy gate. If users process unpublished papers, proprietary PDFs, or sensitive research material, this can cause unintended third-party disclosure and compliance/privacy issues.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code reads raw markdown text from disk and submits it to an external LLM for XHS copywriting without an explicit disclosure or consent check. Raw markdown may contain unpublished manuscript text, author notes, identifiers, or embedded secrets, so forwarding it to a third-party model increases confidentiality and data-governance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends user-supplied markdown, table content, captions, and base64-encoded figure images to an external LLM endpoint via the OpenAI client. This creates a real data-exposure risk because potentially sensitive document contents are transmitted off-box without any consent gate, redaction step, or clear warning in this component.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The request transmits prompt content and image metadata to an external service, but this code contains no consent, notice, or policy gate before doing so. In a parser/converter skill handling user-supplied papers and figures, silent transmission can violate user expectations and organizational data-handling requirements.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The renderer sends the full paper text and assembled asset metadata to an external LLM endpoint but provides no user-facing disclosure or consent mechanism at the time of transmission. In this skill context, users may reasonably expect local rendering, so undisclosed export of document contents increases privacy and confidentiality risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The Gemini native call similarly transmits full user content to a remote service without an explicit warning or confirmation step. Because this component processes arbitrary PDF/Markdown-derived text, the data may include unpublished research, internal URLs, or sensitive business content that should not be exported silently.

Ssd 3

Medium
Confidence
89% confidence
Finding
Untrusted HTML-derived text is forwarded to the LLM and can be reproduced into generated slides, including clickable reference hyperlinks, without semantic filtering or policy checks. This enables prompt-injection-style content manipulation, misleading or harmful slide output, and propagation of attacker-controlled text/URLs into deliverables, which is more concerning because the skill processes arbitrary user documents and emits presentation artifacts that others may trust.

Ssd 3

Medium
Confidence
92% confidence
Finding
Untrusted markdown, table text, and figure captions are inserted directly into the prompt sent to the LLM, so prompt-injection instructions embedded in source documents can steer the model's planning behavior. In this skill's context, that can cause unintended disclosure or prioritization of included sensitive content because the model is asked to analyze and restructure the entire document plus assets.

External Script Fetching

Low
Category
Supply Chain
Content
```bash
# Install UV
curl -LsSf https://astral.sh/uv/install.sh | sh

# Install Python 3.12
uv python install 3.12
Confidence
98% confidence
Finding
curl -LsSf https://astral.sh/uv/install.sh | sh

Chaining Abuse

High
Category
Tool Misuse
Content
```bash
# Install UV
curl -LsSf https://astral.sh/uv/install.sh | sh

# Install Python 3.12
uv python install 3.12
Confidence
99% confidence
Finding
| sh

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal