ClawHub

Doccraft

Security checks across malware telemetry and agentic risk

Overview

DocCraft is a coherent document-drafting and Word-file editing skill with expected local document-processing risks, not evidence of hidden or malicious behavior.

Install only if you want Codex to work with local source materials and Word documents. Use narrow project folders, work on copies of important files, avoid untrusted SGDB_DOCX_MODULE values, keep document-processing tools updated, and isolate unfamiliar DOCX/PPTX/XLSX files before unpacking or validating them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs the agent to read and write files and run shell commands such as pandoc and local scripts, but it does not declare any permissions. This creates a capability/permission mismatch that can bypass user and platform expectations, increasing the risk of unauthorized filesystem access, document modification, or command execution when the skill is invoked.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file states that content inside another author's tracked changes must never be modified, but later examples show direct modification patterns within another author's `<w:ins>` content. This inconsistency can cause invalid or misleading revision history, break validation assumptions, and undermine document integrity in review or legal workflows.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The tool validates repacked documents by opening them with an external desktop-office binary, which means untrusted OOXML content is fed into a large and historically bug-prone parser. In a skill that processes user-provided documents, this expands the attack surface and can lead to host compromise or denial of service if soffice has an exploitable vulnerability.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script resolves and executes a module name or path from the environment variable SGDB_DOCX_MODULE before falling back to the expected docx package. Because require() executes module code on load, any attacker who can influence the environment or working directory can cause arbitrary JavaScript execution in the context of this document-generation process. In an agent skill that processes untrusted project materials and may run in shared automation environments, this extensibility is unrelated to the core task and materially increases risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The save() method writes modified XML back to the original unpacked directory by default when destination is not provided, which can silently overwrite source material. In an agent context, this creates a data integrity and workflow risk: a caller may intend to inspect or preview edits, but the library persists potentially destructive document changes without an explicit confirmation step at the point of save.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal