ClawHub
Back to skill

Security audit

Docx Builder

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Word document generation helper with no artifact-backed evidence of hidden data access, persistence, or malicious behavior.

Install this if you want a Chinese-oriented helper for generating Word documents with Node.js. Review generated scripts before running them, confirm filenames and output paths, and be aware it installs the docx npm dependency.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill auto-activates on broad structured-document requests, which can cause it to take over interactions that did not explicitly ask for Word/docx generation. This increases the chance of inappropriate tool or dependency recommendations and can steer the agent away from the user's intended format or workflow.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
The metadata and description are Chinese-only, which can bias routing and interaction toward a single language without confirming the user's preference. In multi-lingual environments this can cause misunderstanding, misgenerated documents, or reduced accessibility rather than direct code-execution risk.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The instruction text frames the skill persona and behavior entirely in Chinese and does not offer locale choice, which can force Chinese-language responses even when the user is using another language. This can degrade reliability and create unsafe misunderstandings in requirements-heavy document generation where precision matters.

VirusTotal

1/66 vendors flagged this skill as malicious, and 65/66 flagged it as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.