ClawHub
Back to skill

Security audit

Mba Thesis Workflow

Security checks across malware telemetry and agentic risk

Overview

The thesis-writing workflow mostly matches its stated purpose, but it contains an unsafe parser that can run code from an AI response and several under-scoped local file/config behaviors.

Review carefully before installing. Do not run this skill in a trusted workspace until reviewer.py replaces eval() with strict JSON parsing, config.env gets safer handling, and destructive/auto-advance paths are gated. If testing is necessary, use a disposable workspace with no secrets and inspect any package installation or generated files first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (24)

eval() call detected

High
Category
Dangerous Code Execution
Content
# 尝试提取 JSON(可能在 markdown 代码块中)
        json_match = re.search(r'\{[\s\S]*\}', response)
        if json_match:
            result = eval(json_match.group())  # 安全的简单解析
        else:
            result = eval(response)  # 直接解析
    except Exception:
Confidence
99% confidence
Finding
result = eval(json_match.group()) # 安全的简单解析

eval() call detected

High
Category
Dangerous Code Execution
Content
if json_match:
            result = eval(json_match.group())  # 安全的简单解析
        else:
            result = eval(response)  # 直接解析
    except Exception:
        return {
            "ok": False,
Confidence
99% confidence
Finding
result = eval(response) # 直接解析

eval() call detected

High
Category
Dangerous Code Execution
Content
try:
        json_match = re.search(r'\{[\s\S]*\}', response)
        if json_match:
            result = eval(json_match.group())
        else:
            result = eval(response)
        return {"ok": True, **result}
Confidence
99% confidence
Finding
result = eval(json_match.group())

eval() call detected

High
Category
Dangerous Code Execution
Content
if json_match:
            result = eval(json_match.group())
        else:
            result = eval(response)
        return {"ok": True, **result}
    except Exception as e:
        return {
Confidence
99% confidence
Finding
result = eval(response)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill advertises no explicit permissions, yet its documented behavior includes shell execution, environment-variable use, and file read/write operations via Python and CLI scripts. This creates a trust-boundary problem: users or platforms may treat the skill as low-privilege while it can actually execute local commands and manipulate workspace files, increasing the chance of unintended command execution or data exposure.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The installer automatically invokes pip to install python-docx, which introduces network/package-management behavior during setup that exceeds simple local configuration. Even though python-docx is plausibly relevant to document generation, unattended package installation increases supply-chain and environment-modification risk, especially if users do not expect network access or package changes from a thesis-writing skill.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The comment labels the eval-based parsing as 'safe,' which is misleading and increases the chance the dangerous code remains unreviewed or is copied elsewhere. Misstating security properties around an RCE sink materially raises maintenance risk and can delay detection and remediation.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
This reviewer module introduces arbitrary code execution by evaluating model output, despite the feature only needing structured quality metadata. The capability is unjustified by the skill’s purpose, so any compromise of the model output channel can become full host compromise.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The helper parser independently exposes the same unjustified code-execution behavior, broadening the attack surface beyond the main review flow. Reusable helper functions are especially risky because other modules may call them assuming they are safe utilities.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The CLI presents multiple human-in-the-loop choices for outline and attribution review, but the code ignores the selected option and unconditionally calls the confirmation action afterward. This defeats operator intent and can push unreviewed or rejected content into later phases, undermining approval gates and workflow integrity.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The CLI exposes a `delete` action that removes the workflow state file for any supplied paper name with no confirmation, authorization check, or workflow gating. In a thesis-writing skill, this creates an unnecessary destructive capability that can cause loss of progress or be abused by another component or user with local CLI access.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger rules include broad contextual keywords such as '论文', 'MBA', '答辩', and '开题', plus generic .docx export requests for academic content, which can cause the skill to activate in unrelated conversations. Because this skill then mandates a more powerful workflow involving scripts and file operations, accidental triggering can unnecessarily expose users to higher-risk behaviors and unexpected command execution paths.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script stores personal data including user email, sender email, and author name in config.env without warning the user about local persistence, file location, or expected file protections. This can expose sensitive personal information to other local users, backups, or accidental commits if the skill directory is later synchronized or version-controlled.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document explicitly instructs agents to perform 'spawn / exec / 文件写入' as part of an automated phase loop, but it does not pair those actions with a clear user-facing warning, approval gate, or scope limitation on what files may be modified. In a long-running orchestration workflow, this can lead to unintended file changes or command execution with user data/system impact, especially because the design emphasizes auto-retry and automatic progression.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The 'soft error → 自动修复并重试' behavior describes automatic repair of generated content without an explicit warning that user documents may be altered. Because this is framed as guardrail-driven remediation, users may not realize outputs are being modified programmatically, which risks silent corruption, unwanted edits, or loss of authorship traceability in academic documents.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Word verification flow allows automatic fixing and regeneration of the final .docx deliverable, but does not clearly warn about overwriting or altering a near-final submission artifact. In this specific skill context, the thesis document is a high-stakes final deliverable to an advisor, so silent regeneration can introduce formatting/content regressions or replace a user-approved version without clear consent.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The code persists the full generated paper to a predictable local path under papers/ without any explicit confirmation in this code path about disk persistence, retention, or sensitivity handling. In a thesis-writing workflow, the content may include proprietary research, personal data, or confidential academic material, so silent storage increases the risk of unintended disclosure on shared hosts or multi-user environments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code sends document-derived headings and, elsewhere in the same flow, paragraph text to an LLM callback without any built-in consent, minimization, or disclosure controls. If llm_func is backed by a remote model service, sensitive thesis or proposal contents could be exfiltrated to third parties unexpectedly, which is especially risky for unpublished academic work or confidential business case material.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
`outline_delete()` permanently deletes the state file without any confirmation, recovery mechanism, or warning. Because the skill manages long-running thesis workflow state under the user's home directory, accidental or induced invocation can destroy progress and disrupt the workflow.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The cleanup routine recursively deletes a path under the real user's home directory ('~/.openclaw/workspace/test_run_workflow_v206'). In a test context this is dangerous because it performs destructive filesystem operations outside an isolated temporary directory, and if naming collisions, symlink issues, or path assumptions fail, user data could be removed unexpectedly.

Unvalidated Output Injection

High
Category
Output Handling
Content
if json_match:
            result = eval(json_match.group())  # 安全的简单解析
        else:
            result = eval(response)  # 直接解析
    except Exception:
        return {
            "ok": False,
Confidence
99% confidence
Finding
eval(response

Unvalidated Output Injection

High
Category
Output Handling
Content
if json_match:
            result = eval(json_match.group())
        else:
            result = eval(response)
        return {"ok": True, **result}
    except Exception as e:
        return {
Confidence
99% confidence
Finding
eval(response

Credential Access

High
Category
Privilege Escalation
Content
read -p "作者姓名: " AUTHOR_NAME

    # 写入 config.env
    cat > "$SKILL_DIR/config.env" << EOF
# MBA Thesis Workflow 配置(自动生成)
WORKSPACE_ROOT=$WORKSPACE_ROOT
Confidence
87% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
read -p "作者姓名: " AUTHOR_NAME

    # 写入 config.env
    cat > "$SKILL_DIR/config.env" << EOF
# MBA Thesis Workflow 配置(自动生成)
WORKSPACE_ROOT=$WORKSPACE_ROOT
USER_EMAIL=$USER_EMAIL
Confidence
84% confidence
Finding
.env"

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal