ClawHub
Back to skill

Security audit

Quotation Workflow

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches quotation generation, but it can automatically pass quotation data to an external OKKI sync workflow and gives some under-scoped handling guidance for sensitive customer documents.

Install only if you are comfortable reviewing the generated files before sending and controlling whether OKKI sync or email workflows run. Avoid uploading generated quotations to online PDF tools, consider replacing CDN-loaded HTML assets with local copies, and use an explicit process for recipient, attachment, and CRM-sync confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises executable capabilities such as shell access, environment-variable use, and file read/write, but does not declare permissions in the manifest. This creates a transparency and governance gap: users and security tooling cannot accurately assess what the skill is allowed to do before invocation, increasing the risk of unexpected file modification or command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The declared purpose is quotation generation, but the documentation describes materially broader behavior: email-related workflows, pre-send checks, PDF post-processing, and invocation of local Chrome/LibreOffice and external Node.js scripts. This mismatch can mislead operators about the true operational scope and trusted boundary of the skill, which is especially risky when the skill can invoke local executables and potentially interact with external systems.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The report and skill metadata imply OKKI CRM integration, but the documented implementation only checks whether an OKKI customer ID field exists and does not actually validate the customer against OKKI. This creates a trust gap where fabricated or stale IDs may be treated as legitimate, weakening the workflow's assurance that quotations are tied to real CRM entities.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document concludes that P0 fixes are fully complete, while elsewhere admitting that OKKI-related validation remains a placeholder. This kind of inconsistent security reporting can cause operators or reviewers to overtrust the workflow and deploy it under the false assumption that all critical validation controls are in place.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The documentation extends the skill from document generation into outbound email preparation and attachment handling, which increases the sensitivity of the workflow. Once a skill influences email attachments and sending steps, misuse can lead to data leakage, wrong-recipient transmission, or social-engineering enablement beyond the stated quotation-generation purpose.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill includes direct SMTP/email-sending instructions and attachment examples even though its stated purpose is quotation generation. Combining document generation with outbound email behavior raises the blast radius: generated content can be immediately transmitted externally, potentially exposing sensitive files or facilitating unauthorized business communications.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file contains obvious placeholder and sample content such as 'Example Electronic Co., Ltd.', example email domains, and bracketed bank fields, which directly conflicts with the skill description claiming data validation to prevent example/sample data. In a quotation-generation workflow, this can lead to accidental generation or transmission of fake commercial documents, causing business confusion, reputational damage, or downstream processing errors in CRM and document systems.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script performs an additional side effect beyond local quotation generation by automatically invoking an OKKI CRM sync script with the quotation data file and quotation number. This creates an unexpected data flow to an external system, which is security-relevant because users running a document-generation tool may not realize customer data will be transmitted or processed elsewhere.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
A script whose primary purpose is generating files locally also has the capability to trigger network-enabled CRM synchronization through a separate Node.js script. That expanded capability increases attack surface and data exposure risk, especially because it is bundled into the default workflow rather than isolated as a privileged or optional operation.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The file-level docstring claims validation failures immediately terminate generation with no bypass, but the script later exposes a documented --skip-validation path gated only by an environment variable. This is a real integrity-control weakness because downstream users or automation may rely on the stronger documented guarantee and inadvertently generate quotations from unvalidated or placeholder data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document recommends online PDF compression services for generated quotation PDFs without warning that these files may contain customer names, pricing, contact details, or other sensitive commercial data. Uploading such documents to third-party websites can cause unintended data disclosure, confidentiality breaches, and possible compliance issues.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends quotation-related parameters to an OKKI sync component without a clear user-facing consent step or prominent warning immediately before transmission. Because quotation data commonly contains customer and pricing information, silent synchronization can lead to unintended disclosure of sensitive business data.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
**绕过限制(仅限开发环境):**
```bash
# HTML 脚本支持 --skip-validation(需环境变量)
export QUOTATION_DEV_ENV=true
python3 generate_quotation_html.py --data test.json --output test.html --skip-validation
Confidence
96% confidence
Finding
--skip-validation

Tool Parameter Abuse

High
Category
Tool Misuse
Content
```bash
# HTML 脚本支持 --skip-validation(需环境变量)
export QUOTATION_DEV_ENV=true
python3 generate_quotation_html.py --data test.json --output test.html --skip-validation

# Excel/Word 脚本无跳过选项,强制验证
```
Confidence
96% confidence
Finding
--skip-validation

Tool Parameter Abuse

High
Category
Tool Misuse
Content
- ✅ `pre_send_checklist.py` - 发送前强制检查清单(11.8KB)
  - ✅ Excel 脚本集成验证(防止绕过)
  - ✅ Word 脚本集成验证(防止绕过)
  - ✅ HTML 脚本集成验证 + `--skip-validation` 环境限制
  - ✅ `generate-all.sh` 生成前强制验证
  - ✅ 示例数据检测(公司名/邮箱/地址/电话/报价单号)
  - ✅ 验证失败立即终止,无法绕过
Confidence
94% confidence
Finding
--skip-validation

Unsafe Defaults

Medium
Category
Tool Misuse
Content
**绕过限制(仅限开发环境):**
```bash
# HTML 脚本支持 --skip-validation(需环境变量)
export QUOTATION_DEV_ENV=true
python3 generate_quotation_html.py --data test.json --output test.html --skip-validation
Confidence
82% confidence
Finding
skip-validation

Unsafe Defaults

Medium
Category
Tool Misuse
Content
```bash
# HTML 脚本支持 --skip-validation(需环境变量)
export QUOTATION_DEV_ENV=true
python3 generate_quotation_html.py --data test.json --output test.html --skip-validation

# Excel/Word 脚本无跳过选项,强制验证
```
Confidence
82% confidence
Finding
skip-validation

Unsafe Defaults

Medium
Category
Tool Misuse
Content
- ✅ `pre_send_checklist.py` - 发送前强制检查清单(11.8KB)
  - ✅ Excel 脚本集成验证(防止绕过)
  - ✅ Word 脚本集成验证(防止绕过)
  - ✅ HTML 脚本集成验证 + `--skip-validation` 环境限制
  - ✅ `generate-all.sh` 生成前强制验证
  - ✅ 示例数据检测(公司名/邮箱/地址/电话/报价单号)
  - ✅ 验证失败立即终止,无法绕过
Confidence
80% confidence
Finding
skip-validation

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal