ClawHub

MiniMax DOCX Pro

Security checks across malware telemetry and agentic risk

Overview

This DOCX skill is document-focused, but it can automatically download and run a .NET installer and modify the user's home-directory .NET installation without clear opt-in.

Review before installing. The document-generation functions appear coherent, but use this only if you are comfortable with it managing .NET on your machine. Prefer installing .NET 9 manually first, avoid running setup/build/audit commands until you know what they will change, and do not allow it to remove ~/.dotnet unless that directory is disposable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
$execution = [scriptblock]::Create($installer.Content)
            & $execution -Channel {channel} -InstallDir '{target_dir}'
            """
            subprocess.run(
                ["powershell", "-Command", powershell_script],
                capture_output=True, text=True, timeout=300
            )
Confidence
99% confidence
Finding
subprocess.run( ["powershell", "-Command", powershell_script], capture_output=True, text=True, timeout=300 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
target_dir = Path.home() / ".dotnet"

            installer_path = Path(tempfile.gettempdir()) / "dotnet-bootstrap.sh"
            subprocess.run(
                ["curl", "-sSL", installer_url, "-o", str(installer_path)],
                check=True, timeout=60
            )
Confidence
96% confidence
Finding
subprocess.run( ["curl", "-sSL", installer_url, "-o", str(installer_path)], check=True, timeout=60 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
check=True, timeout=60
            )
            installer_path.chmod(0o755)
            subprocess.run(
                [str(installer_path), "--channel", channel, "--install-dir", str(target_dir)],
                check=True, timeout=300
            )
Confidence
98% confidence
Finding
subprocess.run( [str(installer_path), "--channel", channel, "--install-dir", str(target_dir)], check=True, timeout=300 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises and instructs use of shell execution, file reads/writes, and environment inspection, but it does not declare those permissions explicitly. That creates a transparency and policy-enforcement gap: a host or reviewer may underestimate what the skill can do, while the skill can still drive potentially sensitive operations such as invoking external tools and modifying local files. In this context, the undocumented shell and filesystem capabilities increase risk because the skill also references .NET execution and optional tooling that may expand attack surface.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The declared description frames the skill as document generation, but the documented behavior extends into auditing, template patching, OOXML repair, environment inspection, tool installation, compiler-output analysis, and use of external subprocess-driven tooling. This mismatch is dangerous because users and policy systems may grant trust based on a narrow understanding of the skill, while the actual behavior includes broader and riskier actions such as network-enabled provisioning, shell execution, and modification of existing documents. In a document-processing skill, editing arbitrary files and provisioning dependencies materially increases the chance of unintended code execution paths, data exposure, or destructive document changes.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill's declared purpose is DOCX generation, but it also performs environment bootstrapping by downloading and installing the .NET SDK from the internet. This materially expands capability and trust requirements beyond what users would expect, increasing the chance of supply-chain compromise and unsafe host modification.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Network-based runtime provisioning via curl and PowerShell is not justified by the stated purpose of a document-generation skill and introduces a powerful code execution path. The context makes this more dangerous because an enterprise document tool is likely to run in trusted work environments where such hidden provisioning can have broad impact.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code automatically downloads and installs .NET without an explicit confirmation step, causing silent system modification and execution of externally sourced code. Even if the source is legitimate, performing this action without clear consent is unsafe and violates least surprise for a document-processing tool.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The guide advises users to retry document conversion with elevated execution permission when conversion fails in a restricted runtime, but it does so without warning about the risks of increasing privileges on untrusted input. Because this skill processes user-supplied `.doc` files through external tooling (`soffice`), encouraging privilege escalation can increase the blast radius of parser/tool exploitation or unsafe file handling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal