ClawHub

腾讯文档 TENCENT DOCS

Security checks across malware telemetry and agentic risk

Overview

This Tencent Docs skill appears mostly legitimate, but it needs review because it can silently send user prompts to Tencent and perform high-impact document sharing, deletion, upload, and web-image workflows without consistent confirmation.

Install only if you are comfortable granting Tencent Docs access through an OAuth token and letting the skill run local helper scripts. Confirm before uploading local files, exporting documents, setting links to public read/edit, deleting documents or space nodes, or allowing web image search/download/upload. Avoid sensitive prompts unless you accept that unsupported requests may be reported to Tencent without a separate notice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (40)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation instructs the agent to use host shell commands and workspace file staging to prepare base64 Markdown, expanding the skill from remote document editing into local command execution and filesystem interaction. That creates unnecessary capability to read, write, and transform local workspace content, which could be abused to access sensitive files or perform unintended host-side actions under the guise of document preparation.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The image workflow expands beyond the declared skill boundary by directing use of external OpenAPI endpoints, OAuth tokens, and raw curl uploads. This broadens the agent's network and credential-handling surface, increasing the risk of token misuse, credential exfiltration, or unreviewed outbound requests unrelated to core document editing.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
As with the earlier image guidance, the replace_image section directs the agent to perform external OAuth-based API calls and command-line uploads outside the skill's core interface. This unnecessarily grants or encourages network access and credential usage paths that could be abused for data exfiltration or unauthorized remote operations.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The repeated workflow example reinforces that the agent should execute shell commands and stage files locally to prepare content, normalizing host-level actions that exceed the skill's document-editing purpose. Repetition makes misuse more likely in practice and increases the chance an agent will treat local command execution as expected behavior.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation instructs operators to run shell scripts and curl commands directly, which expands the trust boundary from structured tool calls to arbitrary local command execution. In an agent skill context, that is dangerous because it can encourage unsafe handling of local files, credentials, signed URLs, and imported content outside the controlled MCP interface.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation mandates automatic web search/download of cover images and subsequent upload into the document workflow, without constraining sources, requiring user consent, or warning about external network access. This expands the skill from document management into arbitrary network retrieval, which can leak user intent/data to third parties and introduce unsafe or policy-violating content into documents.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The template explicitly instructs the agent to search the open web for an image, download it, and then upload it into Tencent Docs. That expands the skill from document management into unbounded external content retrieval, creating supply-chain and prompt-injection exposure from arbitrary web pages or files without a clear user-justified need.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The frontmatter comment instructs the agent to search the web for an image, download it, and upload it via a tool even though this file is just a static annual-goal template. That expands the task from local document rendering into external network access and file transfer, creating unnecessary data-flow and prompt-scope risk if an agent follows template content as executable guidance.

Context-Inappropriate Capability

Low
Confidence
91% confidence
Finding
The frontmatter explicitly instructs the agent/user to perform a network image search, download external content, and then upload it. That expands the skill from Tencent Docs document authoring into arbitrary web retrieval, creating unnecessary prompt-injection, malicious file, tracking, and policy-scope risk from untrusted remote sources.

Intent-Code Divergence

Low
Confidence
93% confidence
Finding
The frontmatter comment explicitly instructs the agent to perform a network image search, download content, and then upload it into the document workflow. Even though the action is low risk here, it expands behavior beyond a static template and can trigger unreviewed external network access and file transfer without clear user consent or provenance checks.

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
The template explicitly instructs an agent or user to perform a network image search, download external content, and then upload it into the platform. This expands the skill's behavior beyond document authoring into external content retrieval, creating supply-chain and prompt-injection exposure if downloaded content or search results are malicious, irrelevant, or copyright-infringing.

Context-Inappropriate Capability

Low
Confidence
95% confidence
Finding
The frontmatter instructs the agent to perform a network search, download an image, and call an upload action, which expands the template from passive content into an action-triggering prompt. In an agent setting, this can cause unnecessary external access and data movement without explicit user confirmation or bounded source rules, increasing prompt-injection and untrusted-content exposure.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger description is extremely broad, covering common actions like creating, editing, viewing, searching, and saving documents. This can cause the skill to activate for many ordinary requests and route user content into Tencent Docs operations even when the user did not explicitly intend to use this third-party integration.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises destructive file-management actions, including delete, move, rename, and recursive node deletion, but does not require prominent user-facing confirmation before high-impact operations. In a document-management context, this is particularly risky because accidental or prompt-induced deletions can cause irreversible data loss across cloud-hosted content.

Missing User Warnings

High
Confidence
97% confidence
Finding
The instruction to silently call `report_unsupported_feature` without informing the user means unsupported requests may be transmitted externally without transparency or consent. Because such requests can contain sensitive business data, document content, or user intent, covert reporting creates a privacy and data-governance risk beyond the user’s requested action.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly instructs the skill to send user-provided text to the external Tencent Docs MCP/API to generate an online document link, but it does not require any user-facing disclosure, consent, or warning about data transmission to a third-party service. This creates a genuine privacy and data-handling risk because users may provide sensitive document contents under the assumption of local processing, and the skill context makes this more dangerous since it is specifically designed to process arbitrary document text that may contain confidential business, legal, or personal information.

Vague Triggers

Medium
Confidence
90% confidence
Finding
This system prompt is a highly generic transformation template that accepts arbitrary text and template content, but it does not define clear activation boundaries, safety exclusions, or rules for handling adversarial input embedded in the source text or template fields. In an agent skill context, that broad scope can let unrelated or malicious content be processed as authoritative instructions for XML generation, increasing prompt-injection and misuse risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manual fallback instructs the operator to take a user-provided Tencent Docs Token and persist it into local mcporter configuration. That creates a credential-handling risk because the skill does not explicitly warn that the token will be stored locally, may persist beyond the session, and could be exposed to other local users, logs, backups, or later commands. In this skill context, the issue is more dangerous because the document platform token may grant ongoing access to cloud documents and spaces, not just a one-time action.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The docs describe setting documents or spaces to 'all can read' or 'all can edit' without requiring explicit risk acknowledgment, least-privilege guidance, or confirmation. In a document-management skill, this can directly cause unauthorized disclosure or tampering of sensitive content, especially because the same skill can enumerate, create, move, export, and share documents.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow presents search-then-delete as a normal flow without an explicit confirmation or verification step before the destructive action. In this context, search results may be ambiguous, and deleting the wrong document or node could cause data loss or operational disruption.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The reference doc includes destructive deletion operations without prominent warnings, confirmation requirements, or guidance to verify targets before execution. In an agent skill context, this can normalize unsafe automation patterns and increase the chance that an LLM or user triggers irreversible data deletion on the wrong worksheet or view.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow explicitly instructs deletion of default rows and columns as a routine setup step, but does not warn that these actions permanently remove data and may target non-empty content if assumptions are wrong. In a document-management skill, such prescriptive destructive guidance is especially risky because agents may follow the workflow mechanically against real user documents.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly requires silently calling `report_unsupported_feature` and says not to inform the user, while also framing the report as containing user-originated content. Hidden transmission of user request data without notice or consent is a privacy and trust violation, especially in a document-management skill where prompts may include sensitive business or personal information.

Missing User Warnings

High
Confidence
99% confidence
Finding
The instruction to copy the `user_prompt` verbatim into the report creates unnecessary exposure of potentially sensitive data, secrets, personal information, or proprietary document content. Because the report is generated for an unsupported action rather than to fulfill the user's requested task, full-prompt capture is disproportionate and increases privacy risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly instructs callers to provide arbitrary JavaScript via `js_script` to perform sheet edits, but it does not warn that this can directly modify or overwrite live document data. In an agent context, script-driven editing is materially riskier than fixed-parameter operations because a model or user can generate broad destructive actions such as mass cell updates, deletions, or formatting changes without clear guardrails or user confirmation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal