ClawHub

Diataxis Writing

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a documentation-writing helper, but it also includes under-scoped file-saving and external publishing features that users should review before installing.

Install only if you want a documentation skill that can help publish outputs, not just draft them. Prefer chat output for sensitive content, and before using Feishu, GitHub, Notion, Google Docs, or local-file output, confirm the exact destination, repository or document visibility, and whether the generated content is safe to persist outside the conversation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (22)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
'--content', content
            ]
            
            result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
            
            if result.returncode == 0:
                print(f"✅ 已创建飞书文档:{title}")
Confidence
80% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill exposes file read/write and shell-execution behavior without declaring permissions or clearly constraining those actions to a narrow, user-approved scope. Hidden operational capability is dangerous because an agent may inspect local configuration, write files, or invoke commands in ways the user would not expect from a documentation-formatting guide.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The advertised purpose is Diataxis guidance, but the instructions also perform environment discovery, config inspection, local file output, and external publishing via MCP/mcporter. This mismatch is risky because users may invoke the skill for harmless writing help while unintentionally granting it an opportunity to touch local state and exfiltrate content to third-party platforms.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
A skill framed as a documentation methodology guide should not implicitly expand into publishing workflows unless that behavior is clearly justified and disclosed. Embedding outbound publishing steps increases the attack surface because user content can be sent to external systems under the guise of normal document assistance.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Publishing to GitHub and other external platforms is not necessary for Diataxis analysis and creates unnecessary data-transfer capability. If abused, the skill could push sensitive drafts, internal notes, or proprietary documentation to remote services or repositories.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill directs execution of local shell commands and inspection of MCP configuration files, which exceeds the needs of a writing-framework guide. Environment probing can reveal system details, installed tools, and account configuration that may later be used for unauthorized actions or targeted exfiltration.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This reference materially expands a Diataxis writing skill into operational guidance for publishing content to local and remote platforms, including configuration and execution examples. In an agent skill context, that broadens the action surface from documentation advice into tool use that can modify files or external services, increasing the chance of unintended data exfiltration or remote changes.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The file includes authentication setup, MCP integration, and command examples for external systems that are not necessary for a Diataxis writing guide. That mismatch can mislead an agent into performing operational actions beyond the user's documentation-classification task, creating unnecessary exposure to credential use and remote content modification.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
This file materially exceeds the declared Diataxis writing-guide scope by implementing output delivery to local and external platforms. Scope mismatch is dangerous because users may grant trust appropriate for a harmless writing aid while the code actually performs file writes and external publication actions.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
The code enumerates and prepares external publishing/tool-execution capabilities unrelated to a documentation-framework practice guide. In agent settings, unjustified capability expansion increases the attack surface and may enable unintended data movement or platform actions under misleading expectations.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Reading host-level MCP configuration from `/root/config/mcporter.json` exposes information about available integrations and host environment configuration that is not necessary for a writing guide. In a skill context, probing privileged host config broadens visibility into system setup and can facilitate later misuse of discovered services.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README defines very broad automatic trigger conditions such as general documentation writing, best practices, and technical sharing. In an agent skill system, overly generic triggers can cause unintended invocation, pulling the skill into unrelated conversations and influencing outputs when the user did not explicitly request it.

Vague Triggers

Low
Confidence
82% confidence
Finding
The example trigger phrase "Help me write a tutorial" is generic and likely to appear in ordinary conversations unrelated to this specific skill. If the platform uses these examples to shape activation, the skill may be selected too aggressively, causing unintended behavior or interference with more appropriate tools.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises output to Feishu documents, local Markdown files, and GitHub repositories without any warning about data sensitivity, consent, or destination-specific risks. This can lead users or downstream agents to export internal or sensitive documentation to external services or persistent storage without adequate review.

Missing User Warnings

Low
Confidence
79% confidence
Finding
Saving generated content to local Markdown changes system state and may store sensitive information without warning the user about persistence, location, or overwrite risk. While lower severity, it can still cause accidental data exposure or unintended modification of local files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The Feishu examples show direct create/update operations against a remote collaboration platform without warning that content will be transmitted externally and existing documents may be modified. In an agent setting, such examples normalize remote writes and can lead to accidental disclosure of sensitive text or unintended changes in shared enterprise systems.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The local write example performs a real filesystem write to a fixed workspace path without stating that it persists data to disk. While lower risk than remote publishing, it can still overwrite files, create unintended artifacts, or store sensitive content locally without the user's awareness.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The GitHub section includes commands that can publish content to a remote repository and alter global git configuration, but it does not warn about repository exposure, auditability, or host-wide side effects. In agent environments, these commands can leak internal documents, change commit identity globally, and push unintended changes to shared repos.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Notion example sends content to an external SaaS platform without warning that data will be stored outside the local environment. This can cause users or agents to upload proprietary or sensitive material to third-party services without appropriate review.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The local output path writes attacker- or user-controlled content directly to disk without an explicit confirmation step, and the filename is also insufficiently constrained. In an agent environment this can cause unintended persistence of sensitive data or overwrite/create files under the docs directory using crafted relative paths.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This path transmits provided content to Feishu through `mcporter` with no explicit warning, consent, or data-classification check. Remote publication can leak sensitive prompts, generated content, or internal data, and the danger is elevated because the skill's declared purpose does not justify external transmission.

Session Persistence

Medium
Category
Rogue Agent
Content
- **Chat** → Reply directly
- **Feishu (MCP)** → Use mcporter to call Feishu MCP server
  ```bash
  node /path/to/mcporter/dist/cli.js call feishu doc.create '{"title":"...", "content":"..."}'
  # Note: mcporter path varies by installation, common paths:
  # - ~/.npm/_npx/*/node_modules/mcporter/dist/cli.js
  # - Or use: npx mcporter call feishu doc.create ...
Confidence
83% confidence
Finding
create '{"title":"...", "content":"..."}' # Note: mcporter path varies by installation, common paths: # - ~/.npm

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal