ClawHub

AutoDimension Report Skill En

Security checks across malware telemetry and agentic risk

Overview

The skill has a coherent document-review purpose, but its OCR fallback can automatically run an unpinned OCR script discovered from broad local skill directories.

Review before installing. Use it only with task folders you intend to process, and assume images may be sent to the configured OCR endpoint. Prefer HTTP-only OCR or set HERDSMAN_SKILL_DIR to a specific trusted OCR skill; do not rely on automatic fallback unless you trust every local skill directory it may search.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
raise RuntimeError("No fallback OCR script found")
    proc_env = os.environ.copy()
    proc_env["HERDSMAN_BASE_URL"] = normalize_base_url(config["base_url"])
    proc = subprocess.run(
        [
            "uv",
            "run",
Confidence
92% confidence
Finding
proc = subprocess.run( [ "uv", "run", "python", str(ocr_script), str(image_path), "--model", config["ocr

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
`resolve_ocr_script()` searches multiple directories, including the workspace and `~/.openclaw/skills`, for any `scripts/ocr.py` and then trusts the first one found. This broad discovery mechanism creates an unsafe trust boundary: any attacker who can place or modify a matching file in those locations can influence which code gets executed during fallback OCR.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The fallback path explicitly executes external code via `uv run python`, which adds arbitrary code-execution capability beyond simple OCR API usage. In this skill context, OCR is expected, but spawning another discovered Python program substantially increases attack surface because that program is not constrained to OCR behavior.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger list includes generic phrases such as supplier/quality review, table data review, PDF to DOCX, and extract images, which can match many unrelated user requests. Over-broad activation can cause this skill to run shell commands, process files, or contact OCR services in contexts where the user did not intend this particular workflow or data handling.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation guidance uses broad intent descriptions like reviewing supplier-submitted documents, batch extracting images, and generating summary review reports without sufficiently strict exclusion rules. In an agent setting, this can cause the skill to activate on common document-processing requests and perform file and network operations beyond the user's intended scope.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal