ClawHub

xiaobai-print

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real print helper, but it can upload local files and proxy broad authenticated MCP tool calls, so users should review it before installing.

Install only if you trust the printer/upstream MCP service with the documents you print. Keep the bridge bound to 127.0.0.1, use a scoped token, avoid changing MY_MCP_BASE_URL or upstream URLs to untrusted hosts, and confirm the exact local file path before any upload, especially for sensitive documents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill metadata exposes use of environment variables and networked behavior via wrapper/bridge interactions, but the skill does not clearly declare equivalent permissions or user-visible security boundaries. This weakens reviewability and consent because operators may believe the skill is limited to local print orchestration while it can access secrets and communicate externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is narrowly framed as a print helper, but the described behavior includes starting a local HTTP bridge, exposing tool endpoints, listing/calling arbitrary remote MCP tools, operating as an MCP server, reading local files, and uploading them to third-party storage. This capability mismatch is dangerous because it hides materially broader attack surface and could enable unintended data access, tool execution, or service exposure beyond the user's expectations.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The schema presents a narrowly scoped document-search capability, but the manifest delegates execution to a generic local MCP bridge over localhost endpoints. This creates a trust-boundary mismatch: if the bridge exposes more tools than declared, a caller or compromised wrapper could invoke unintended local capabilities while appearing to use a benign search skill.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script accepts any tool name from the command line and forwards it to a generic `/mcp/tools/{tool}` endpoint, which is broader than the stated print-assistant workflow. In a skill context, this creates capability expansion: a caller can invoke unintended MCP tools with the bearer token, potentially reaching functions unrelated to printing.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code is effectively a general-purpose authenticated MCP proxy, not a print-specific helper. Because it combines arbitrary tool selection, arbitrary JSON arguments, and automatic bearer-token use, any consumer of the script can exercise the full authority of that token against the local MCP bridge, which can lead to unauthorized actions if higher-privilege tools are exposed.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The bridge exposes a generic '/mcp/tools' listing endpoint and a generic '/mcp/tools/<name>' invocation endpoint, allowing callers to enumerate and invoke any upstream-exposed tool rather than a tightly scoped printer-only workflow. In the context of a printer assistant, this expands the attack surface significantly: any local process that can reach the bridge may proxy arbitrary upstream MCP actions using the request bearer token or fallback environment token.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
This code starts a local HTTP server that forwards authenticated requests to a remote MCP endpoint, effectively turning the skill into a local proxy. Even though it binds to 127.0.0.1 by default, this still creates a local privilege boundary issue: other local applications or browser-based localhost interactions may be able to leverage the bridge to access upstream capabilities with the configured token.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill metadata says it uses a local MCP bridge wrapper, but this code actually connects to a configurable remote MCP server and sends a bearer token in the Authorization header. That creates a trust-boundary mismatch: users or reviewers may believe operations stay local when the skill can forward requests and credentials to an arbitrary remote endpoint, increasing the risk of data exfiltration, remote command execution via exposed tools, or unauthorized third-party control.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The exported functions provide unrestricted remote tool enumeration and invocation by arbitrary name, which goes beyond the stated printer-assistant purpose. If the remote MCP server exposes sensitive or powerful tools, this wrapper can be used as a generic capability broker, enabling misuse unrelated to printing and expanding the attack surface substantially.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill metadata describes a local printing helper using a built-in wrapper to a local MCP bridge, but this code initializes configuration for a token-authenticated remote endpoint and advertises connecting to a remote MCP server. That mismatch can mislead reviewers and users about where data and commands are sent, creating an unexpected data egress and trust-boundary violation for print jobs, file contents, or device metadata.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Requiring an environment token and remote server access is not consistent with the stated local printing-assistant behavior, and it expands the attack surface beyond local device operations. In practice, this can enable unauthorized outbound communication, exposure of sensitive document content or printer metadata to a remote service, and abuse of privileged environment-based credentials.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow instructs uploading local files to a CDN and submitting remote print jobs, but it does not provide an explicit privacy warning or require affirmative user acknowledgement that document contents will be transmitted to external services. This creates a real confidentiality risk, especially for sensitive personal or business documents, because users may assume printing is local when files are actually copied to third-party infrastructure.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation guidance is permissive and generic: 'Use this skill when the user needs capabilities exposed by the local MCP bridge' does not narrowly scope when the skill should be used. In an agent setting, vague routing language can cause the model to invoke a local wrapper and bridge in situations where the user did not clearly consent to networked/local service access, increasing the chance of unintended tool use and data exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill operates through a local MCP bridge and requires the MY_MCP_TOKEN credential, but the description does not prominently warn that using the skill may access a local HTTP service and use stored credentials. This omission can mislead users and higher-level agents about trust boundaries, causing sensitive queries or environment-backed authentication to be used without informed consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to upload local files to a CDN or use remote URLs directly for printing, but it does not require any user-facing warning or confirmation that document contents will be transmitted to external services. In a printing context this is sensitive because users may print personal, financial, legal, or confidential documents, and the workflow normalizes data transfer off-device without explicit consent or trust-boundary disclosure.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill allows cancellation of a print job whenever the user requests it, but it does not require a confirmation step or warn about consequences such as interrupting an active job, wasting paper/ink, or cancelling the wrong order. In an assistant workflow, ambiguous or mistaken cancellation requests are plausible, so the lack of a guardrail can cause unintended disruption to the user's work.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill exposes an uploadFile tool that takes an absolute local file path and uploads that file to a CDN, but the schema text does not include a clear user-facing warning that local data will leave the machine and be transmitted to a remote service. In an agent setting, this increases the risk of unintended exfiltration of sensitive local files because the action appears as a routine print step rather than an explicit data-transfer operation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script transmits a bearer token and arbitrary JSON arguments to an HTTP endpoint, with a default of plain HTTP on 127.0.0.1. Even though this is loopback by default, allowing a configurable base URL means credentials and request data could be sent unencrypted to a non-local or intercepted endpoint if MY_MCP_BASE_URL is changed or the local bridge is exposed/proxied. In a printing skill that may upload files and create jobs, those arguments can contain sensitive document content or metadata, increasing the confidentiality risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code reads an arbitrary local file path and uploads its contents to a remote URL obtained from a remote tool response, with no user confirmation, path restriction, or destination allowlisting in this file. In an agent skill context, that creates a real exfiltration risk: if the file path or token source is influenced by prompts, tool responses, or untrusted workflow inputs, sensitive local files could be silently sent off-host.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"prepublishOnly": "npm run build"
  },
  "dependencies": {
    "@modelcontextprotocol/sdk": "^1.12.1"
  },
  "devDependencies": {
    "@types/node": "^22.0.0",
Confidence
90% confidence
Finding
"@modelcontextprotocol/sdk": "^1.12.1"

Known Vulnerable Dependency: @modelcontextprotocol/sdk==1.12.1 — 3 advisory(ies): CVE-2026-25536 (@modelcontextprotocol/sdk has cross-client data leak via shared server/transport); CVE-2026-0621 (Anthropic's MCP TypeScript SDK has a ReDoS vulnerability); CVE-2025-66414 (Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protec)

High
Category
Supply Chain
Confidence
98% confidence
Finding
@modelcontextprotocol/sdk==1.12.1

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal