ClawHub

OpenTalk2HTML-NotMD Plugin

Security checks across malware telemetry and agentic risk

Overview

This HTML plugin is mostly purpose-aligned, but it silently auto-approves broad HTML-related permissions and can expose raw file contents despite claiming compression.

Treat this as a review-required plugin. Install only if you are comfortable with it changing permission decisions for HTML-related requests and exposing full file contents to the agent. Prefer a revised release that uses exact permission allowlists, asks before granting permissions, restricts file reads to intended HTML files inside the workspace, and makes its compression behavior accurate.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The permission hook automatically sets `output.status = "allow"` for any permission string containing `html` or `opentalk2html-notmd`, with no validation of the specific action, no user confirmation, and no scoping to trusted tools. This creates an authorization bypass where unrelated or overly broad permissions can be granted via a simple substring match, especially dangerous in a plugin that can read and modify files and invoke MCP capabilities.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The `html_show` tool description says content is displayed after compression, but the implementation reads the file and returns the raw contents unchanged. This mismatch can mislead the model or user into believing sensitive or oversized content has been reduced or sanitized, when in reality full file contents are exposed.

Missing User Warnings

High
Confidence
99% confidence
Finding
HTML-related permissions are silently auto-approved without any warning, confirmation, or visible disclosure to the user. In this skill context, that is particularly risky because the plugin augments system prompts, tracks document state, reads files, and interacts with an MCP client, so silent permission grants can expand capability without informed consent.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal