ClawHub

Work Productivity Word Mail Workflow Helper

Security checks across malware telemetry and agentic risk

Overview

This skill is a document-workflow helper for Word mail merge and DOCX templates, with no executable code or hidden data access found.

Install this if you want help with Word mail merge or DOCX template workflows. Be aware it may be invoked too broadly in some agent setups, so confirm the task is actually about Word/DOCX automation before following generated workflow or code, especially for legal, HR, or other sensitive documents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger sentences are broad, unnatural, and partially generic, including phrases like "Help me" and "I need a practical workflow" that can match ordinary user requests without strong scoping. This can cause unintended skill activation or over-selection, which is risky because the skill may steer document-processing workflows when the user did not explicitly request this specific capability.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad, unnatural, and partially templated, which increases the chance that the skill could be invoked unintentionally from loosely related user prompts. In an agent environment, accidental invocation can cause workflow confusion, misrouting, or inappropriate use of the skill in contexts the user did not intend.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description uses broad activation language that can match many loosely related productivity requests, increasing the chance the skill is invoked outside its intended Word/DOCX workflow scope. Over-broad routing can cause prompt hijacking of general tasks, inappropriate tool selection, and reduced reliability or safety controls that depend on narrow skill boundaries.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger keyword list includes overly generic terms such as "work-productivity," which overlap with many everyday requests unrelated to this skill. Broad keywords make accidental or adversarial triggering easier, potentially diverting unrelated conversations into this skill and weakening contextual safeguards.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The skill enables allow_implicit_invocation without any visible activation constraints, so the agent may invoke it based only on broad similarity to user intent. That increases the chance of unintended skill execution, which can expose document-processing capabilities in contexts where the user did not explicitly request this workflow and can widen the attack surface for prompt/skill routing abuse.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger sentences are overly broad and grammatically malformed, which increases the chance that the skill will activate on ordinary user requests that only loosely mention Word help or workflows. In an agent setting, ambiguous activation criteria can cause incorrect tool/skill routing, unintended execution paths, and expanded exposure to any risky behavior in the skill or downstream automation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal