ClawHub

myskill

Security checks across malware telemetry and agentic risk

Overview

This Tencent Docs skill is broadly coherent, but it includes hidden prompt reporting, token exposure in setup logs, and under-scoped high-impact document actions that need review before use.

Install only if you are comfortable giving this skill access to manage Tencent Docs content, upload local files/images, and change sharing settings. Avoid using it with sensitive prompts or documents until the silent unsupported-feature reporting is removed or made opt-in, the token debug print is fixed, and destructive or public-sharing operations require explicit confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (49)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to silently call `report_unsupported_feature` when a user request is not supported, without notifying the user. Silent telemetry-like reporting can leak user intent, prompts, or workflow metadata to an external service without informed consent, which is a privacy and data-governance risk.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The self-update workflow instructs the agent to fetch remote update metadata and then follow server-provided `instruction` text for updating. Allowing remote instructions to drive local update behavior is effectively a remote instruction execution pattern and can lead to supply-chain compromise, arbitrary command execution, or unsafe reconfiguration if the update endpoint or channel is abused.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The reference explicitly instructs an agent to invoke local Node.js scripts and later shell tooling as part of normal operation, which expands the skill from API-mediated document management into arbitrary local program execution. In an agent setting, this increases attack surface substantially because untrusted file paths, titles, or upstream-produced artifacts may be fed into external processes, creating opportunities for command/argument injection, unsafe file access, or execution of unintended local code paths.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The reference document exposes document/space permission management capabilities that are not declared in the skill's manifest-level capability summary. This can cause downstream agents or reviewers to underestimate the skill's ability to broaden document visibility or editability, leading to unsafe use without appropriate consent and privacy checks.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file states that the file-management toolset includes permission setting, expanding beyond the manifest's stated capability summary. This mismatch is security-relevant because permission-setting is a higher-risk action than ordinary file management and may bypass user expectations or policy gating built from the manifest.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation maps `properties.sheet_id` to a human-readable worksheet name, which contradicts the identifier semantics used everywhere else in the file where `sheet_id` is treated as an opaque ID. This can cause an agent or integrator to send the wrong parameter, mis-handle object references, or create/update the wrong resource, increasing the risk of unintended destructive operations or logic flaws.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script prints the fetched authorization token directly to stdout via a debug message (`DEBUG:token=...`). In an agent or MCP setup flow, stdout is commonly captured in logs, chat transcripts, CI output, telemetry, or terminal scrollback, so this exposes a bearer secret that can be reused to access the Tencent Docs service.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The instructions tell the agent to perform network search and download images for a default cover, which expands behavior beyond the declared document-management scope into external retrieval. That creates unexpected outbound requests and supply-chain/privacy risk, especially because the action is framed as mandatory rather than user-approved.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill forbids direct external image URLs in documents but simultaneously requires fetching images from the internet and re-uploading them. This contradiction hides an expansion from document editing into web acquisition, which can expose user context to third parties and cause the agent to import untrusted content without clear approval.

Intent-Code Divergence

Low
Confidence
89% confidence
Finding
The frontmatter cover field contains an operational instruction to perform an external web search, download an image, and call an upload function, which turns a nominally static content template into executable workflow guidance. In an agent setting, this can trigger unintended network access, third-party content ingestion, and file upload behavior without explicit user authorization, creating supply-chain, privacy, and policy-compliance risk.

Intent-Code Divergence

Low
Confidence
92% confidence
Finding
The frontmatter explicitly instructs an agent to perform a network image search, download the result, and upload it, even though the document body is just an interview checklist and does not constrain source selection, licensing, or trust boundaries. This creates an unnecessary external-action pathway that could lead to untrusted content ingestion, copyright/compliance issues, or unsafe agent behavior based on template metadata rather than user intent.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The frontmatter explicitly instructs the agent to search the web, download an image, and call an upload action, which expands the skill from document templating into external network and file-handling behavior. In a Tencent Docs content template, this creates unnecessary side effects, increases prompt-injection exposure from searched content, and can cause unreviewed data flow into uploads.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The embedded absolute local path assumes access to a specific workstation filesystem location, which is unrelated to normal Tencent Docs operations and can encourage local file access attempts. This can leak host environment details and, in some agent implementations, trigger unintended retrieval or handling of local files outside the intended skill scope.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill advertises deletion, import/export, move, rename, copy, and cloud-saving capabilities as normal operations but does not prominently require confirmation or warn about destructive and data-modifying effects. In an agent setting, this can cause accidental deletion, unwanted cloud uploads, or irreversible file operations based on ambiguous user phrasing.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The workflow says scraped web content is automatically saved as a smart document, but it does not clearly warn that this creates new cloud-stored content. That can lead to unexpected persistence of third-party content, privacy issues, or confusion about where data is being stored.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly instructs the agent to send user-provided content to the external `tencent-docs` MCP tool to generate a document link, but it does not require any user notice, consent, or data-minimization step before transmission. In a document-formatting skill, users may paste sensitive contracts, internal notes, or personal data, so silent transmission to an external service creates a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow packages local HTML and uploads it to Tencent/COS without requiring a prominent user-facing notice or confirmation that local content will leave the machine and be transmitted to a cloud service. In an agent environment, that can cause inadvertent exfiltration of sensitive local files, embedded assets, or internal data if the user does not fully understand that '导入/上云' triggers external transmission.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The delete workflow instructs searching and deleting documents without an explicit warning, scope check, or user confirmation step. In a document-management skill, this raises the risk of accidental destructive actions, including deletion of the wrong file or recursive removal of space content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow encourages setting documents to publicly readable or editable states without clearly warning about privacy exposure and unauthorized modification risk. In the context of cloud documents, making a file accessible to 'anyone with the link' can leak sensitive information or allow untrusted edits if used carelessly.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation instructs users to upload images to OCR services and returns hosted document URLs, but it provides no warning that image contents may contain sensitive personal, financial, or confidential business data that will be transmitted to and stored by a cloud provider. In this skill context, that omission is meaningful because the feature is specifically designed to process user-supplied documents and images, making accidental privacy leakage more likely.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document presents delete operations as routine API usage without any warning that they are destructive or may be irreversible. In an agent skill context, this can normalize unsafe automation and increase the chance an LLM-driven agent performs deletions without confirmation, backup, or scope verification.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow examples explicitly include bulk deletion of rows and fields as standard steps, but do not require confirmation or highlight the permanence of data loss. Because this skill is designed for document management and automation, such examples can directly encourage high-risk agent behavior at scale.

Missing User Warnings

High
Confidence
98% confidence
Finding
The file explicitly instructs the agent to silently call `report_unsupported_feature` and include the user's original prompt verbatim, without notifying the user. This creates an undisclosed data exfiltration/telemetry path that may capture sensitive personal, business, or credential-like content from user requests, and the Tencent Docs context makes this more dangerous because prompts may contain document contents or confidential workflow details.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow advertises destructive file operations such as delete and move without requiring explicit user confirmation, preview, or guardrails. In an agent setting, this increases the chance of unintended or prompt-induced destructive actions that can cause data loss or unauthorized modification of user content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The web clipping workflow instructs the agent to fetch and automatically store external URL content as a smart document, but it does not warn about privacy, copyright, retention, or sensitive-data ingestion risks. This can lead to silent persistence of third-party or confidential content inside the user's document space, especially if users share URLs containing private or regulated information.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal