ClawHub
Back to skill

Security audit

Tencent Docs Reader

Security checks across malware telemetry and agentic risk

Overview

The main Tencent Docs reader is coherent, but the package includes an under-disclosed weekly-report helper that can send personnel status to an external webhook.

Install only if you are comfortable with a browser automation daemon copying Tencent Docs content through the clipboard. Use it only on spreadsheets you are authorized to read, avoid running scripts/check_weekly_report.py unless you intentionally want that workflow, and do not set WECOM_WEBHOOK_URL unless sending report-status names to that webhook is approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Tainted flow: 'req' from os.environ.get (line 148, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
data=json.dumps(data, ensure_ascii=False).encode('utf-8'),
            headers={'Content-Type': 'application/json'}
        )
        with urllib.request.urlopen(req) as resp:
            print(f"已发送企业微信通知: {resp.read().decode('utf-8')}", file=sys.stderr)
    except Exception as e:
        print(f"发送企业微信通知失败: {e}", file=sys.stderr)
Confidence
96% confidence
Finding
with urllib.request.urlopen(req) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill describes capabilities that include network access, shell execution, and file read/write, but it does not declare permissions or present clear guardrails. This creates a trust and review gap: users and hosting platforms may invoke a skill with broader operational power than expected, increasing the chance of unintended data access, exfiltration, or unsafe automation.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This code performs outbound organizational notifications containing personnel status information, which is materially broader than the declared role of a Tencent Docs reader. Even if intended for convenience, this hidden side effect can surprise users and leak internal team information to external services.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script includes messaging/notification capability tied to a specific QQ user and enterprise webhook, which is unrelated to a generic document-reader skill and introduces unauthorized communication pathways. In the context of an agent skill, this increases the risk of covert data sharing and user-surprising actions.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill can write extracted spreadsheet contents to any path supplied via --output, which extends its behavior from reading remote documents to persisting potentially sensitive data locally. In an agent setting, arbitrary file writes can enable data exfiltration staging, overwriting user files, or leaving confidential material on disk unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code uses agent-browser eval to execute browser-side JavaScript, which is a broader and more dangerous capability than simple document reading. Even though the current strings are hardcoded, exposing eval in the skill increases the attack surface and could be repurposed to inspect page state, manipulate browser context, or extract more data than intended.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Broad triggers like 'qq doc', '腾讯文档', and 'tencent docs' may activate the skill during ordinary conversation rather than an explicit user request to read a document. Because the skill can access shared spreadsheet contents, accidental invocation could expose sensitive data or cause the agent to retrieve documents the user did not clearly intend to process.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill is designed to read shared spreadsheet contents, which may contain sensitive personal or business data, but the description does not warn users about privacy implications or the need to verify sharing scope. In the context of a document-reading skill, missing disclosure makes accidental over-collection more likely and weakens informed consent around data handling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This workflow copies the full spreadsheet into the system clipboard and may then save it to disk, creating multiple unintended data exposure points. Clipboard contents can be read by other local processes or pasted elsewhere, and the saved file may persist sensitive Tencent Docs data without any explicit consent or retention controls.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal