File Super Assistant - 文件超级助手

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does document creation and text rewriting as advertised, but it needs review because some scripts silently write to a hard-coded OneDrive/Desktop folder and keep local file history.

Review before installing. Prefer scripts that require an explicit output path, avoid or modify file_assistant.py and the OpenClaw guide generators until hard-coded OneDrive/Desktop destinations are removed, and confirm overwrite behavior before using it on important files. Use the AI-humanization feature only for legitimate editing and disclose AI assistance where required.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill documentation clearly describes reading input files and writing output documents, yet it declares no permissions. That mismatch can cause the agent runtime or user to underestimate the skill's filesystem access, reducing transparency and weakening consent around file operations.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: A description-behavior mismatch is a serious trust and safety issue because users may authorize a benign-seeming document tool while hidden or undocumented behavior writes unrelated content, persists metadata in files.json, or targets a hardcoded desktop directory. This expands the skill's effective scope beyond user expectations and could result in unauthorized data persistence or unintended writes outside the expected workspace.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script unconditionally writes a .docx file to a hard-coded, user-specific Desktop/OneDrive path. In a skill context, this is risky because it performs filesystem writes to a predetermined personal location without user selection, confirmation, or path validation, which can cause unintended file creation or overwrite behavior and violates least surprise for a general-purpose assistant.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: Writing directly to a user-specific OneDrive Desktop path is more dangerous than a generic local path because it targets a synchronized personal location, potentially causing unintended propagation to cloud-synced storage. In an agent skill, destination handling should be user-directed; hard-coding a personal path creates unauthorized side effects and may disclose assumptions about the host environment.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The README uses very broad natural-language invocation examples like creating a document or rewriting text without defining explicit trigger constraints, confirmation steps, or scope boundaries. In agent environments, vague everyday phrases can cause over-broad activation or unintended execution, especially for file creation, conversion, and content rewriting actions that may affect user data.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The usage guidance instructs the agent to create and rewrite files but does not warn about overwrite semantics or modification of existing user data. In a file-manipulating skill, omission of these safeguards can lead to accidental destruction or silent replacement of user content when output paths collide with existing files.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill creates files on disk and persists metadata to files.json immediately, using a fixed desktop-adjacent output directory, without explicit confirmation or clear disclosure at the action point. In an agent context, this can cause unintended local side effects, clutter sensitive user directories, and expose file paths or user activity records without informed consent.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: These additional branches perform the same kind of undisclosed side-effecting behavior by writing spreadsheet/presentation outputs and updating persistent records without prior confirmation. In a local assistant skill, silent writes are more dangerous because users may interpret a conversational request as informational while the code performs filesystem changes immediately.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script unconditionally writes a .docx file to a hard-coded Desktop/OneDrive path, which causes side effects on the host filesystem without user confirmation or validation. In an agent skill context, this is risky because it assumes a specific environment, may overwrite user content, and leaks implementation behavior into a personal directory outside a controlled workspace.

Natural-Language Policy Violations

Medium

Confidence: 94% confidence
Finding: The script is explicitly designed to rewrite AI-generated text so it appears more human, which facilitates deceptive disclosure practices and can help users conceal automated authorship. In the context of an assistant skill, this is more dangerous because it productizes evasion at scale without safeguards, transparency requirements, or legitimate-use constraints.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal