ClawHub

智能文档助手

Security checks across malware telemetry and agentic risk

Overview

DocPilot appears to be a legitimate document-processing skill, but it uploads user documents to a configurable remote API without clear enough privacy disclosure or destination safeguards.

Review before installing. Use this only with documents you are allowed to send to DocPilot or another configured endpoint, verify config.json and environment settings before use, replace or remove the bundled api_key value, and avoid confidential or regulated documents unless the provider and endpoint meet your data-handling requirements.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Tainted flow: 'api_url' from os.environ.get (line 133, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
if md_return_image:
                data["md_image_format"] = md_image_format

            response = requests.post(api_url, headers=headers, files=files, data=data, timeout=120)

            if response.status_code == 200:
                result = response.json()
Confidence
97% confidence
Finding
response = requests.post(api_url, headers=headers, files=files, data=data, timeout=120)

Tainted flow: 'api_url' from os.environ.get (line 133, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
if options:
                data["options"] = json.dumps(options) if isinstance(options, dict) else options

            response = requests.post(api_url, headers=headers, files=files, data=data, timeout=120)

            if response.status_code == 200:
                result = response.json()
Confidence
97% confidence
Finding
response = requests.post(api_url, headers=headers, files=files, data=data, timeout=120)

Tainted flow: 'api_url' from os.environ.get (line 133, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
if category_schema:
                data["category_schema"] = json.dumps(category_schema) if isinstance(category_schema, dict) else category_schema

            response = requests.post(api_url, headers=headers, files=files, data=data, timeout=120)

            if response.status_code == 200:
                result = response.json()
Confidence
97% confidence
Finding
response = requests.post(api_url, headers=headers, files=files, data=data, timeout=120)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The configuration section shows a remote base URL and API key, indicating document contents are likely sent to an external service. Because the skill is framed primarily as local document parsing/extraction/classification, this hidden expansion of data flow increases privacy and data-governance risk, especially for contracts, invoices, and audit materials mentioned elsewhere in the skill.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill presents itself as a document-processing utility, but the implementation uploads the file to a remote DocPilot service for parsing. This mismatch is security-relevant because users may reasonably assume local-only handling and unintentionally expose sensitive documents.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The extraction feature sends both the document and extraction schema/prompt data to an external API, but this is not clearly disclosed in the skill behavior. Hidden off-host transmission increases the risk of accidental exposure of sensitive documents and business logic embedded in schemas/prompts.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The classification path depends on external network processing even though the skill is framed as a document tool without prominent notice of remote transfer. For sensitive internal documents, this hidden dependency materially changes the trust and privacy model.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README clearly instructs users to configure a remote API endpoint and use the skill to parse and extract data from local documents, but it does not disclose that document contents may be transmitted to an external service. Because the skill is explicitly designed for sensitive business documents such as contracts, invoices, audits, and compliance records, this omission can mislead users into sending confidential data off-host without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to configure a remote base URL and API key for DocPilot but does not clearly warn that document contents may be transmitted to a third-party service. For a document-processing skill, this omission is security-relevant because users may unknowingly upload sensitive contracts, invoices, IDs, or financial records to an external endpoint, creating privacy, compliance, and data-handling risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill documentation instructs users to configure a remote service endpoint and API key but does not warn that uploaded documents and extracted fields may leave the local environment. This is especially dangerous in the stated use cases—contracts, financial audits, archives, and compliance reviews—because those documents commonly contain confidential, regulated, or legally privileged data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The manifest advertises document parsing, extraction, and classification features while also requiring an API key and defining a remote default base URL, which strongly implies user documents are sent to an external service. However, the manifest does not clearly disclose this data transfer or warn that potentially sensitive documents may leave the local environment, creating a privacy and data-handling risk for users who may assume local-only processing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The parse operation uploads the specified local document to a remote API without a clear warning at the point of use that file contents leave the host. In a document-processing skill, this is particularly risky because users may feed in confidential contracts, IDs, or internal reports.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The extraction flow transmits user documents off-host without explicit disclosure in the interface. Because extraction often targets sensitive structured data, the hidden upload can expose personal, financial, or regulated information to third parties.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The classification path also uploads local documents to a remote endpoint without a prominent disclosure. This creates privacy and compliance risk because even metadata-rich classification tasks may involve confidential files that users expect to remain local.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal