ClawHub

read-gbk

Security checks across malware telemetry and agentic risk

Overview

This is a local file-reading skill with disclosed Python execution and optional package installs for DOCX/PDF support.

Install only if you are comfortable letting the agent read files you explicitly point it at. Avoid sensitive paths such as credentials, private configs, or personal documents unless you intend to share them, and preinstall or avoid DOCX/PDF dependencies if you do not want the skill to run pip automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pip_cmd = [sys.executable, '-m', 'pip', 'install', 'python-docx', '-q']
        
        try:
            subprocess.run(pip_cmd, check=True, capture_output=True)
            print(f"[自动安装] python-docx 安装成功", file=sys.stderr)
            from docx import Document
        except subprocess.CalledProcessError as e:
Confidence
96% confidence
Finding
subprocess.run(pip_cmd, check=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pip_cmd = [sys.executable, '-m', 'pip', 'install', 'pypdf', '-q']
        
        try:
            subprocess.run(pip_cmd, check=True, capture_output=True)
            print(f"[自动安装] pypdf 安装成功", file=sys.stderr)
            from pypdf import PdfReader
        except subprocess.CalledProcessError as e:
Confidence
96% confidence
Finding
subprocess.run(pip_cmd, check=True, capture_output=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill exposes file-read and shell-execution capabilities without declaring corresponding permissions or prominently constraining their use. That makes the trust boundary unclear for users and hosting agents, and the shell capability is especially sensitive because the documented behavior includes invoking Python and potentially pip, which can access local data and modify the environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The declared purpose is a local text reader with GBK/UTF-8 detection, but the documented behavior expands into parsing .docx/.pdf and automatically running pip to install third-party packages. This mismatch is dangerous because users or policy engines may approve a seemingly simple read-only skill while it actually performs package installation and broader file processing, increasing attack surface and enabling unexpected code execution paths.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The advertised purpose is reading local text files with encoding detection, but the code also parses `.docx` and `.pdf` files and auto-installs packages to do so. This mismatch is security-relevant because it hides broader capability and side effects from users and reviewers, reducing informed consent and increasing the chance of unexpected environment changes.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Invoking `pip` to install `python-docx` at runtime is not justified by the stated task and creates a clear supply-chain and environment-modification risk. In a skill context, users expect file reads, not code acquisition and installation, so this behavior is materially more dangerous than in a standard installer or setup script.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script installs `pypdf` at runtime to support PDF handling, which exceeds the declared scope of a local text reader and silently changes the execution environment. This is dangerous because it can fetch and execute third-party package installation logic in response to normal use, expanding attack surface and trust assumptions.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The documentation understates behavior by focusing on text files and encoding detection while the implementation also handles PDFs and performs runtime package installation. Documentation/behavior divergence is dangerous in security-sensitive agent skills because reviewers may approve capabilities they did not actually inspect for side effects.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill is designed to read arbitrary local files and emit their contents directly to stdout, but it does not clearly warn that this can expose sensitive data such as credentials, personal documents, or configuration secrets to logs, calling agents, or downstream tools. In this context, the risk is real because the examples target local documents and project files, which are often sensitive.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Automatic installation of `python-docx` executes a subprocess and changes the host environment without prior confirmation. In an agent skill, unexpected environment mutation and network access are high-risk because they violate least surprise and may be abused in locked-down or sensitive environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Automatic installation of `pypdf` similarly performs environment-changing subprocess execution without user approval. This increases risk in the skill context because a simple file-read request can unexpectedly trigger package management operations and associated supply-chain exposure.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal