ClawHub

Docx Chapter

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its document-generation purpose, but it performs mandatory broad web browsing and sends page/research text to an LLM without clear user-facing disclosure or scoping.

Review before installing in sensitive environments. Use it only in a workspace where generated drafts, research excerpts, screenshots, and verification files may be retained, and avoid confidential or internal URLs unless you are comfortable with browser loading and openclaw infer receiving page and chapter text. Prefer running with network controls or an allowlist for footnote domains.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Run purple highlight script
        try:
            cmd = [PLAYWRIGHT_PYTHON, str(PURPLE_SCRIPT), fn_url, str(output_file), '--smart'] + keywords
            proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, start_new_session=True)
            try:
                stdout, stderr = proc.communicate(timeout=300)
                if proc.returncode == 0:
Confidence
82% confidence
Finding
proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, start_new_session=True)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
In smart mode, the script extracts the full visible webpage text and passes it to an external LLM process, which exceeds the minimum data needed for keyword highlighting. This can disclose sensitive or proprietary page content to another component or service without necessity, especially since the tool is a screenshot utility and users may not expect content exfiltration for matching assistance.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script sends excerpt/title content derived from chapter research into an external LLM CLI even though its advertised role is screenshot verification. In this context, research excerpts and chapter material may be sensitive or proprietary, so this creates an unnecessary data-exfiltration path and expands the trusted computing base without clear need.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This second LLM call sends source context and body-context text from the chapter to an external model to generate keyword variants, further increasing disclosure of user content beyond the minimal needs of screenshot capture. Because the input is attacker-influenced and the output then steers downstream browser activity, the feature increases both privacy risk and attack surface.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill persists multiple artifacts and checkpoints to disk, including markdown, DOCX, research results, verification data, and screenshots, without prominent warning about filesystem modification or retention. In a research pipeline, these files may contain sensitive source material, local paths, or generated content, and silent writes can overwrite data or leak information into shared directories.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The workflow performs broad outbound retrievals, URL validation, and mandatory screenshot capture of external sites, but does not clearly foreground that it will contact third-party services and load arbitrary URLs. This can expose IP, headers, browsing fingerprints, or confidential query content to external destinations, which is especially relevant in enterprise or sensitive-research contexts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The prompt construction embeds the page text for transmission to an external LLM subprocess without any user-facing warning or consent mechanism. In a document-generation and verification workflow, webpages may contain confidential research, licensed content, or internal materials, so silent disclosure materially increases privacy and compliance risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal