Back to skill

Security audit

kdocs skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real KDocs cloud-document integration, but it needs review because it can install and update local executables, persist account credentials, and perform broad cloud-document actions without consistently requiring explicit confirmation.

Install only if you trust this publisher and are comfortable giving a local CLI broad access to your KDocs account. Prefer browser-based login over pasting tokens into chat, review any public-link or sharing operation before it runs, avoid using it on sensitive documents unless you understand the cloud and AI-processing flow, and treat automatic CLI or skill updates as privileged changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (47)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes shell-based capabilities (`kdocs-cli`, setup scripts, upgrade scripts) but does not declare permissions accordingly. This creates a transparency and policy-enforcement gap: users or orchestrators may treat the skill as lower risk than it actually is, while it can execute local commands and install software.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose is cloud-document operations, but the skill also directs the agent to download binaries from a CDN, run installer scripts, detect OS/architecture, verify and extract archives, and modify the local system. That behavior materially expands the trust boundary from remote document management to local code installation, increasing supply-chain and arbitrary code execution risk if the distribution channel or scripts are compromised.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The installer writes a hidden .source marker into the install directory for analytics/source attribution, which is unrelated to the minimum functionality required to install the CLI. While not directly exploitable on its own, it creates undisclosed metadata on the user's system and may enable tracking or behavior differences in later executions.

Vague Triggers

High
Confidence
88% confidence
Finding
The skill description and keywords are extremely broad, covering generic actions like summarizing, organizing, writing, translating, and making PPTs. This can cause over-triggering for ordinary user requests, leading the agent to invoke a powerful cloud-document skill unnecessarily and exposing user content, local files, or account-linked operations to a broader set of prompts than intended.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document describes generating PPTs from user-provided documents and explicitly mentions cloud upload and AI-driven generation, but it does not instruct the agent to warn users that their document contents may be processed by AI systems and stored in cloud services. In a document-handling skill, this omission can lead to unintended disclosure of sensitive business, personal, or regulated data to downstream processing and storage systems without informed user consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs the user to copy an authentication token from the Kdocs web UI and provide it to the Agent, but it does not warn that the token is a sensitive bearer credential or describe safer handling. Any agent, prompt logs, telemetry, chat history, or downstream tool that receives the token could potentially use it to access the user's Kdocs account, making credential exposure and account compromise more likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation states the operation is non-idempotent and may create multiple dashboard copies on repeated calls, but it does not clearly instruct the agent to require explicit user confirmation before retrying or to implement duplicate-prevention logic. In an automation skill that manages cloud documents, this can lead to unintended resource creation, clutter, and possible downstream confusion or data governance issues if retries occur after partial failures.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documents how to open a shared view, including sharing to `anyone`, but it does not require an explicit user-facing confirmation or warning that doing so may expose document data externally. In a cloud document skill, this omission can cause accidental over-sharing of sensitive business data, especially because the operation changes access control rather than only reading metadata.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The permission update flow allows changing `permission` and `share_to` without an explicit warning that the change may broaden access or make a previously restricted view externally reachable. Because this skill manages cloud-hosted documents, silent expansion from internal or assigned access to `anyone`, or from `read` to `edit`, can materially increase data exposure and tampering risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documented create_document_comment capability performs a visible write operation to a cloud document, but the skill text does not require any user-facing confirmation or warning that content will be posted into a potentially shared workspace. This creates a risk that an agent could transform a casual request into an externally visible action, causing unintended disclosure, reputational harm, or spam in collaborative documents.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The upload_file section explicitly supports updating existing docx/pdf files by file_id and describes overwrite behavior, but it does not require any user-facing confirmation or warning before destructive replacement. In an agent setting, this increases the risk of accidental or prompt-induced integrity loss, because a model may overwrite an important document based on ambiguous instructions or incomplete verification.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The scrape_url guidance says any external URL must be fetched and automatically saved as a cloud document, but it omits a privacy and integrity warning about sending user-supplied links to a remote service and persisting retrieved content. This is dangerous because links may contain sensitive query tokens, internal resources, or untrusted content that gets stored automatically, creating data exposure and content-poisoning risks.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill documents a state-changing operation that restores deleted files but provides no warning, confirmation guidance, or mention that the action modifies user data. In an agent context, this increases the risk that a model may invoke the restore operation automatically or with insufficient user awareness, leading to unintended recovery of files and possible disclosure or workspace disruption.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents a capability to obtain a temporary download URL and immediately perform a GET request, but it does not include a user-facing warning that this may transfer document contents over the network and result in local file saving. In a cloud-document skill handling potentially sensitive business files, this omission can lead to unintended exfiltration, unsafe handling of confidential data, or user surprise about where file contents are being stored or transmitted.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The documentation describes a state-changing publish action but only uses soft language ('请确认题目列表已经最终确定') instead of a clear warning that publishing transitions the form from Draft to Release and may expose a live collection link. In a document/form-management skill, this can cause unintended publication of incomplete or sensitive forms, especially if an agent performs the action without explicit user confirmation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation states that `status=3` means internet public visibility, but it does not explicitly warn that selecting this value exposes the knowledge base publicly to anyone on the internet. In a document-management skill that can create persistent knowledge spaces, this omission can lead users or downstream agents to unintentionally publish sensitive business content, causing data leakage or unauthorized disclosure.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The invocation guidance explicitly suggests using this capability to list 'someone's current knowledge bases' without stating that the caller must be that person or otherwise authorized. In a document-management skill, this can encourage enumeration of another user's private workspaces and metadata, which may expose sensitive business context even if document contents are not returned.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This documentation describes a content-modifying operation that is explicitly non-idempotent, but it does not prominently warn users that invoking it can alter live document content and create duplicate insertions if retried. In an agent setting, weak safety guidance increases the chance of accidental repeated writes, especially after transient failures or ambiguous responses, which can corrupt document structure or duplicate business content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly instructs creating a public share link for converted files and then using it to obtain download information, but it provides no warning, consent check, or safer private-access alternative. Because this skill handles PDFs that may contain contracts, invoices, reports, or other sensitive cloud documents, encouraging public sharing can unintentionally expose confidential data to anyone with the link.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly recommends creating a public share link for split PDF results and then downloading from that public link, but it does not require user consent or warn that this exposes document contents to anyone with the link. In a cloud-document skill that commonly handles contracts, invoices, reports, and other sensitive files, this can cause unintended data disclosure through oversharing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The merge workflow similarly instructs creating a public share link for merged PDF outputs without any user-facing warning or permission check. Because merged files may aggregate multiple sensitive documents into one artifact, the confidentiality risk is heightened if the assistant follows this guidance automatically.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill describes sending full PDF or document content to a translation workflow but provides no user-facing warning about data transmission, retention, or handling of potentially sensitive files. In a cloud-document context, users may submit contracts, invoices, or internal reports, so silent content transfer to downstream translation services creates meaningful privacy and compliance risk.

Natural-Language Policy Violations

Medium
Confidence
79% confidence
Finding
The instruction forces a target-language mapping (`zh`→`en`, otherwise →`zh`) instead of honoring user intent, which can cause unintended disclosure by translating sensitive material into a broader or different audience language than requested. In a document-management skill handling business files, this can increase exposure, misdelivery, and workflow mistakes, especially when users expect a different destination language.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow instructs the agent to accept a user-supplied Kdocs document link, derive a link_id directly from the URL, generate a PPT from that document, and upload the result back to cloud storage, but it does not require an explicit consent or privacy notice before processing and storing potentially sensitive document contents. In a document-handling skill, silent transmission, parsing, and re-storage of user content increases the risk of unintended disclosure, especially when users may not realize their source document will be copied, transformed, and persisted as a new cloud artifact.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases are broad enough to match ordinary requests like '做一页PPT' or '生成一页幻灯片', which can cause this powerful document-generation workflow to activate in situations where the user did not specifically intend Kdocs cloud operations. Because the workflow can generate content and import it directly into an existing presentation via a target link_id, over-broad routing increases the chance of unintended document modification or surprising actions in a sensitive cloud document context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/setup.cjs:80