Back to skill

Security audit

文件总结 File Summary & Analysis

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it reads a user-selected local document for summarization, while openly noting that it may install Python dependencies and use the configured OpenClaw LLM.

Install only if you are comfortable granting it access to the local files you explicitly ask it to summarize. Use it in a trusted Python environment, review or preinstall the listed dependencies if supply-chain control matters, and avoid confidential documents unless your OpenClaw and LLM provider setup is approved for that data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""自动安装Python包"""
    print_step(f"正在自动安装依赖库: {package_name}")
    try:
        subprocess.check_call([sys.executable, "-m", "pip", "install", package_name], 
                              stdout=subprocess.DEVNULL, 
                              stderr=subprocess.DEVNULL)
        print(f"✅ 成功安装 {package_name}")
Confidence
91% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", package_name], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill requests or enables capabilities equivalent to local file reading and Python execution, but the permissions section does not clearly and formally declare those capabilities. This can mislead users and reviewers about the actual trust boundary, especially because Python execution may invoke shell/package-management behavior and local file access can expose sensitive documents.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as a document summarizer, but its documented behavior includes raw content extraction and automatic pip-based dependency installation. That mismatch creates a material security risk because users may authorize a seemingly simple summary action without realizing the skill can expose full document contents and execute package installation code in the local environment.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Auto-installing Python packages via pip is not necessary for a simple local document summary/read skill and introduces a software supply-chain risk. A user who only intends to process a local file would indirectly cause network access and code installation on the host, which is especially dangerous in an agent/skill environment where users may not expect environment mutation.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger phrases are broad enough to match common requests like 'help me summarize' or 'analyze document,' which can cause the skill to activate in situations the user did not intend. In a skill that reads local files and may forward content for summarization, over-triggering increases the chance of unintended access to sensitive documents.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill states that summarization is integrated with an LLM but does not clearly warn that document contents may be transmitted to that model. For local files, this is a significant privacy and confidentiality issue because users may expect processing to remain local while the skill sends sensitive content to an external or separate model service.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script installs packages automatically without any confirmation, making system changes on behalf of the user without informed consent. Even when the package names are hardcoded, this behavior is risky because it creates unexpected network activity, modifies the Python environment, and may execute package-provided install/build code.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.