ClawHub

蒋道理|撤三证据链与风险审核引擎(SJ-IRAC)

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for local legal evidence processing, but it exposes under-scoped local file controls and one destructive directory-cleanup option that users should review before installing.

Install only in a dedicated virtual environment and use it on trusted evidence files. Keep the Web UI bound to 127.0.0.1, do not expose the desktop/web server on a network, and avoid using --organize-dir unless it points to a disposable output folder. Consider pinning/reviewing dependency versions before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (17)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def open_folder(path: str) -> None:
    subprocess.run(["open", path], check=False)


def build_run_command(payload: Dict[str, object]) -> List[str]:
Confidence
91% confidence
Finding
subprocess.run(["open", path], check=False)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def osascript_choose_folder(prompt: str) -> str:
    safe_prompt = (prompt or "请选择文件夹").replace('"', '\\"')
    script = f'POSIX path of (choose folder with prompt "{safe_prompt}")'
    out = subprocess.check_output(["osascript", "-e", script], text=True).strip()
    return out
Confidence
84% confidence
Finding
out = subprocess.check_output(["osascript", "-e", script], text=True).strip()

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def osascript_choose_file(prompt: str) -> str:
    safe_prompt = (prompt or "请选择文件").replace('"', '\\"')
    script = f'POSIX path of (choose file with prompt "{safe_prompt}")'
    out = subprocess.check_output(["osascript", "-e", script], text=True).strip()
    return out
Confidence
84% confidence
Finding
out = subprocess.check_output(["osascript", "-e", script], text=True).strip()

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill executes external binaries and another Python script as part of normal processing, including tools resolved from PATH or hard-coded locations such as tesseract, pdftoppm, soffice, and a user-supplied generator path. In an agent environment, this expands the trust boundary and can lead to arbitrary code execution if PATH, binary locations, or the generator script are attacker-controlled.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The Web UI exposes endpoints that let a browser client browse for local files/folders and open arbitrary paths on the host, which exceeds the minimum needed for a document-generation workflow and materially expands the attack surface. In this skill context, the server is controlling a desktop environment with access to sensitive legal evidence, so arbitrary local path interaction is more dangerous than in a purely server-side application.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script prints CASE_INFO and the summary path to stdout after processing, and CASE_INFO contains sensitive case metadata such as parties, registration numbers, periods, paths, and generated artifact locations. In agent or shared logging environments, stdout is often centrally collected, which can leak confidential legal matter data beyond intended recipients.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code recursively deletes all contents of the target organize directory before repopulating it, and the directory is user-controlled via --organize-dir. If pointed at an unintended or sensitive path, this can cause destructive data loss outside the expected workspace.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas
openpyxl
python-docx
pypdf
Confidence
95% confidence
Finding
pandas

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas
openpyxl
python-docx
pypdf
PyMuPDF
Confidence
95% confidence
Finding
openpyxl

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas
openpyxl
python-docx
pypdf
PyMuPDF
PyYAML
Confidence
95% confidence
Finding
python-docx

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas
openpyxl
python-docx
pypdf
PyMuPDF
PyYAML
Confidence
95% confidence
Finding
pypdf

Unpinned Dependencies

Low
Category
Supply Chain
Content
openpyxl
python-docx
pypdf
PyMuPDF
PyYAML
Confidence
95% confidence
Finding
PyMuPDF

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-docx
pypdf
PyMuPDF
PyYAML
Confidence
98% confidence
Finding
PyYAML

Known Vulnerable Dependency: openpyxl — 2 advisory(ies): CVE-2017-5992 (Improper Restriction of XML External Entity Reference in Openpyxl); CVE-2017-5992 (Openpyxl 2.4.1 resolves external entities by default, which allows remote attack)

High
Category
Supply Chain
Confidence
93% confidence
Finding
openpyxl

Known Vulnerable Dependency: python-docx — 2 advisory(ies): CVE-2016-5851 (Improper Restriction of XML External Entity Reference in python-docx); CVE-2016-5851 (python-docx before 0.8.6 allows context-dependent attackers to conduct XML Exter)

High
Category
Supply Chain
Confidence
94% confidence
Finding
python-docx

Known Vulnerable Dependency: pypdf — 10 advisory(ies): CVE-2026-24688 (pypdf has possible Infinite Loop when processing outlines/bookmarks); CVE-2026-27628 (pypdf has a possible infinite loop when loading circular /Prev entries in cross-); CVE-2026-40260 (pypdf: Manipulated XMP metadata entity declarations can exhaust RAM) +7 more

Low
Category
Supply Chain
Confidence
88% confidence
Finding
pypdf

Known Vulnerable Dependency: PyYAML — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
97% confidence
Finding
PyYAML

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal