Back to skill

Security audit

文档内容总结 Summary & Analysis txt/docx/pdf/xlsx/xls

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local document summarizer, with the main cautions being local file contents sent into the OpenClaw LLM flow and automatic installation of document-reading Python packages.

Install only if you are comfortable with a Python-based local file reader. Use a virtual environment or preinstall the listed dependencies yourself, and do not point it at confidential, regulated, or highly private documents unless your OpenClaw LLM data-handling policy allows that content flow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""自动安装Python包(中英双语提示)"""
    print_step(f"正在自动安装依赖库: {package_name}")
    try:
        subprocess.check_call([sys.executable, "-m", "pip", "install", package_name], 
                              stdout=subprocess.DEVNULL, 
                              stderr=subprocess.DEVNULL)
        print(f"✅ 成功安装 {package_name} / Successfully installed {package_name}")
Confidence
95% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", package_name], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares only informal requirements in prose while exposing capabilities that amount to local file reading and shell-like execution via Python, including stated runtime package installation. This is dangerous because users and platforms may under-assess the trust boundary: the skill can access arbitrary local documents and invoke package-management behavior without explicit, structured permission disclosure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented behavior does not match the actual capability set: it claims summary/analysis and external LLM transmission, but the implementation reportedly only extracts content and also performs pip subprocess installation. Behavior mismatches are security-relevant because they prevent informed consent, can hide risky execution paths, and may cause users to expose sensitive files under false assumptions about what the skill will do.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
A document-summary skill should read local files, but this implementation can install Python packages on demand, which is behavior outside the stated purpose. That means opening a document can trigger network access, package resolution, and execution of installer logic, creating supply-chain and environment-integrity risks unrelated to summarization.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest presents this as a local document analysis tool, but the code alters the local environment by installing software. This mismatch is dangerous because users may grant access expecting read-only file handling, while the skill actually performs state-changing operations that can introduce new software, create persistence in the environment, and violate least-privilege expectations.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Broad English triggers like 'summarize for me' or 'analyze for me' can activate in ordinary conversation without a strong file-specific constraint. In a skill with local file access, overbroad activation increases the risk of unintended invocation and accidental disclosure of local document contents.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The Chinese triggers are similarly broad and can match common requests like '帮我总结' or '分析一下' without clearly indicating local-file access. Because this skill reads local documents, ambiguous activation can lead to unintended file operations or users consenting to more access than they realize.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill automatically runs pip without prior consent, meaning users are not clearly warned that analyzing a file may trigger package installation and environment changes. In this context, that is more dangerous because the skill is positioned as a simple file reader/summarizer, so operators are less likely to expect networked installation behavior or review the implications before execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.