ClawHub

Word Mail Merge Template Workflow

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Word mail-merge helper; its trigger wording is somewhat broad, but it does not install code or request sensitive access.

Install only if you want a helper for Word mail merge or DOCX template workflows. Be aware it may be invoked a little too broadly because of its generic keyword and rough trigger examples; review generated document workflows carefully when using real HR, legal, sales, or administrative data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger sentences are broad, malformed, and generic enough that the skill could activate in contexts beyond narrow Word mail-merge workflows. Overbroad activation can cause unintended routing to this skill, which increases the chance of irrelevant instructions being applied to user requests and can degrade safety and correctness in downstream automated handling.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad, unnatural, and partially generic, which increases the chance that the skill activates on loosely related user requests rather than explicit intent. In an agent environment, overbroad activation can cause incorrect tool or skill selection, leading to unintended document-processing actions, confusion, or policy bypass through misrouting rather than direct code execution.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description is broadly scoped around common productivity tasks and several generic concepts, which can cause the agent to invoke this skill in situations only loosely related to Word mail-merge workflows. Overbroad activation increases the chance of unintended context capture, misrouting, and interference with more appropriate skills, especially because the description mixes domain-specific and generic workflow-support language.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The keyword list includes the broad phrase "work-productivity," which is an everyday umbrella term rather than a precise trigger. This makes accidental invocation more likely across unrelated office-assistance requests, potentially exposing unrelated user context to the skill and degrading routing integrity.

Vague Triggers

Low
Confidence
89% confidence
Finding
The example trigger phrases are written in highly generic helper language like "Help me" and "I need a practical workflow," with insufficient scoping to a narrow operational context. While the examples mention Word-template-related content, their structure still encourages broad matching patterns and can train invocation logic toward everyday phrasing rather than precise intent detection.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill enables implicit invocation without any visible, narrow activation constraints, which can cause it to be auto-selected in broader contexts than intended. Because this skill can influence document-generation workflows for legal, HR, sales, and administrative use cases, unintended invocation could lead to prompt-scope expansion, unsafe document automation guidance, or misuse in sensitive business processes.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger sentences are malformed and extremely broad, embedding generic phrasing like 'Help me' and 'I need' around a long requirement description rather than a precise activation condition. This can cause accidental or inappropriate skill invocation, making downstream behavior less predictable and potentially routing unrelated user requests into a document-automation workflow that may generate misleading guidance or process sensitive business content unnecessarily.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal