ClawHub

Wps Skill

Security checks across malware telemetry and agentic risk

Overview

This WPS automation skill is disclosed and purpose-aligned, but it can modify local documents, automate the active desktop window, and optionally use WPS 365 credentials.

Install only if you trust it to control WPS Office on your desktop. Keep the target WPS window focused when using content insertion, avoid batch operations on important folders without backups, and leave WPS 365 credentials blank unless you need cloud features and can protect the local config file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
                cmd = ["wps", filepath]
            
            subprocess.Popen(cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
            
            return {
                'success': True,
Confidence
79% confidence
Finding
subprocess.Popen(cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises substantial capabilities including local file read/write, subprocess launch, GUI automation, and outbound network access, but it does not declare permissions or clearly scope those capabilities in a machine-enforceable way. This increases the chance that a host agent or user will invoke the skill with broader trust than intended, leading to unexpected file access, application control, or credential-bearing network operations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The declared description focuses on document creation, Markdown conversion, and image-text layout, but the documented behavior also includes directory enumeration, batch processing, subprocess-based application control, active-window typing via pyautogui, and WPS 365 network/API operations. That mismatch is dangerous because it can hide materially different security-relevant behaviors from users and policy systems, especially GUI automation and outbound API access using credentials.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file implements substantial cloud-management capabilities for WPS 365 forms, docs, sheets, flowcharts, and mind maps, while the declared skill purpose only mentions local office automation, Markdown conversion, and image-text layout. This is a significant scope mismatch that can mislead users and reviewers about the skill's real capability set, especially because it enables access to remote data and credential-backed operations.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill performs outbound authenticated API calls to WPS Open Platform even though the stated purpose does not clearly justify networked cloud access. In skill ecosystems, undisclosed network access is dangerous because it expands the trust boundary, may expose document metadata or business data, and can surprise users who expected only local document handling.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Using pyautogui to type into the currently active window gives the skill broad GUI-control capability that goes beyond ordinary file automation. Because focus may change unexpectedly, attacker-controlled or mistaken content could be injected into the wrong application, chat window, terminal, or privileged prompt, causing unintended actions or data leakage.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The release notes advertise WPS 365 cloud features such as document, form, table, and sharing operations that go beyond the skill’s stated local Office automation focus. This creates a security-significant scope mismatch: users may install or trust the skill for local conversion tasks without realizing it can interact with remote cloud services and potentially access or transmit document data.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Documenting cloud document and data-management capabilities without clearly justifying them within the skill’s stated purpose increases the risk of overbroad access and user surprise. Even if the functionality is legitimate, hidden or weakly scoped cloud features can enable unnecessary handling of sensitive files, forms, and tabular data through external services.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The helper functions default to saving back to the original Excel path when output_path is omitted, which can silently overwrite user data. In an automation skill context, this increases the chance of destructive file modification, especially when driven by agent actions or untrusted task parameters.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code sends `app_id` and `app_secret` to obtain access tokens and then uses those tokens for API requests, but there is no clear user-facing disclosure or consent flow around credential use and remote transmission. This is risky in a skill setting because users may not realize the skill is authenticating to a third-party cloud service and acting on their behalf.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill automatically types provided content into whichever window is active after a fixed delay, without any warning or verification. This can modify user content unexpectedly, send messages, alter commands, or leak sensitive text if focus is stolen or changes before typing begins.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The helper writes the modified presentation back to the input path when no output_path is provided, which can silently overwrite the original PPTX. In an agent context, this is risky because a caller may expect a non-destructive transformation, and a malformed or unintended operation could permanently destroy the user's only copy of a document.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This function has the same unsafe behavior: if output_path is omitted, it saves the modified PPT back to pptx_file, silently replacing the original. In automation workflows, especially agent-driven ones, this can lead to unexpected data loss or destructive modification of user-owned files without clear disclosure.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list is very broad and contains generic terms like 'wps', '文档', '表格', 'excel', 'word', and '编辑文档', which can match many ordinary user requests unrelated to this specific skill. Over-broad activation can cause unintended execution of an exec-capable skill, increasing the chance of surprise actions, prompt routing mistakes, or abuse by steering benign document conversations into this skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The markdown states that app_id and app_secret are needed for WPS 365 features but does not warn users that using those features may transmit document and business data to remote cloud services. This omission undermines informed consent and can lead users to expose sensitive content, metadata, or records without understanding the privacy and compliance implications.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal