ClawHub

Automation Master

Security checks across malware telemetry and agentic risk

Overview

This office automation skill is mostly purpose-aligned, but it needs Review because it can perform broad Windows side effects and handle sensitive financial and identity data without tight scoping.

Install only if you are comfortable running it in an isolated Windows environment with copies of documents. Close LibreOffice before conversion, avoid providing custom executable paths, treat generated spreadsheets and logs as sensitive, and do not rely on it for shared workstations or shared printers until process cleanup, printer routing, and sensitive-data logging are tightened.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (38)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
@staticmethod
    def kill_libreoffice():
        """强制终止所有 LibreOffice 进程"""
        os.system('taskkill /f /im soffice.exe >nul 2>&1')
        os.system('taskkill /f /im soffice.bin >nul 2>&1')
        time.sleep(1)
Confidence
94% confidence
Finding
os.system('taskkill /f /im soffice.exe >nul 2>&1')

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
def kill_libreoffice():
        """强制终止所有 LibreOffice 进程"""
        os.system('taskkill /f /im soffice.exe >nul 2>&1')
        os.system('taskkill /f /im soffice.bin >nul 2>&1')
        time.sleep(1) 
    
    @staticmethod
Confidence
94% confidence
Finding
os.system('taskkill /f /im soffice.bin >nul 2>&1')

subprocess module call

Medium
Category
Dangerous Code Execution
Content
os.path.splitext(os.path.basename(input_path))[0] + ".pdf")
        
        try:
            result = subprocess.run(
                [
                    convert_tool,
                    "--headless",
Confidence
89% confidence
Finding
result = subprocess.run( [ convert_tool, "--headless", "--convert-to", "pdf", "--outdir", o

subprocess module call

Medium
Category
Dangerous Code Execution
Content
os.makedirs(os.path.dirname(output_path), exist_ok=True)
        
        try:
            process = subprocess.Popen(
                [
                    repair_tool,
                    "--headless",
Confidence
98% confidence
Finding
process = subprocess.Popen( [ repair_tool, "--headless", "--norestore", "--nodefault",

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            logger.info(f"开始外部工具修复: {input_path} -> {output_path}")
            
            result = subprocess.run(
                [
                    repair_tool,
                    "--headless",              # 无界面模式
Confidence
98% confidence
Finding
result = subprocess.run( [ repair_tool, "--headless", # 无界面模式 "--norestore", # 禁止恢复对话框

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The service exposes printer control and can submit print jobs for all files in a user-supplied directory, yet this capability is not clearly justified in the stated skill purpose. In an agent context, undisclosed physical-world side effects are risky because they can be triggered on behalf of a user without clear consent, causing information leakage, waste, or unintended document disclosure to network/local printers.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill context is a file conversion service, so host-wide process termination is broader than required and increases danger in shared office automation environments. Any caller triggering conversions can indirectly disrupt unrelated LibreOffice workloads on the same host.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The generic fallback path sends any discovered file to ShellExecute with the "print" verb, which delegates execution to whatever application is registered for that file type. That broadens the feature from controlled Office document printing to arbitrary handler invocation on untrusted files, increasing the risk of unintended code execution, unsafe app launches, or abuse through recursive directory input.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The startup cleanup routine enumerates the default printer queue and deletes jobs based on status, regardless of who submitted them or whether they belong to this application. In a shared workstation or print-server context, this can destroy other users' pending print jobs and cause denial of service or loss of business records.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The service forcefully terminates all LibreOffice processes on the host before and during repair operations, affecting unrelated sessions and documents. In a multi-user or shared automation environment, this can cause denial of service, data loss from unsaved work, and disruption outside the intended file-repair scope.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Allowing the caller to choose any external binary as repair_tool creates a direct arbitrary-code-execution primitive, not merely a file-repair feature. In this context, the skill's purpose is office automation, so unrestricted subprocess execution is not justified and materially increases the danger of compromise.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The code extracts and logs passenger identity document numbers from train tickets, which is sensitive personal data. In this skill context, invoice extraction is expected, but collecting national ID-style data and persisting it into downstream structured output materially increases privacy risk and potential regulatory exposure if logs or exported files are accessed by unauthorized parties.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The batch rename feature modifies filenames in place, yet the documentation does not prominently warn that changes may be hard to reverse at scale. In a file-management skill, this omission increases the risk of accidental data disorganization, broken references, and user confusion, particularly when regex-based replacement is supported.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The file conversion documentation omits a clear warning that conversion can create new files, replace existing outputs, or collide with existing filenames depending on save behavior. Because this skill handles bulk office documents, unclear output semantics can lead to accidental overwrites, data loss, or confusion about which file is authoritative.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code logs the full params object at operation start, and these parameters include filesystem paths, sheet names, printer names, output locations, and potentially sensitive business document identifiers. If logs are accessible to operators, other services, or attackers after compromise, this creates a secondary disclosure channel for confidential data and operational metadata.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Force-killing all LibreOffice processes without warning is a dangerous side effect for a document conversion skill because it silently disrupts unrelated user activity and can destroy unsaved work. In an automation suite, this behavior is especially risky because users may not expect global application termination from a file task.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code performs destructive system-wide process termination silently, without user confirmation, warning, or even targeting only its own workers. While not an exploit primitive by itself, it is a genuine unsafe behavior that can be abused to repeatedly disrupt service availability and destroy unsaved work.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The service writes extracted invoice data, including tax IDs, bank accounts, ticket numbers, passenger names, and other sensitive business/personal information, into Excel files on disk without any minimization, consent check, masking, or access-control consideration. In an automation context, this can create unauthorized local data exposure, over-retention, and accidental sharing through broadly accessible output directories or downstream handling of the generated spreadsheets.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The train-ticket parsing path extracts passenger ID numbers and names, then logs them directly via logger.info. Logging sensitive identifiers is dangerous because logs are often centralized, retained longer than primary data, and accessible to operators who do not need raw identity data, increasing the blast radius of any compromise or routine log access.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The service writes extracted invoice fields, including tax IDs, bank account numbers, passenger names, and identity document numbers, directly into Excel files on disk with no access control, encryption, masking, or user-facing warning. In a batch-processing workflow this can silently create a concentration of sensitive data, increasing the blast radius of workstation compromise, shared-directory exposure, or accidental disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code logs full table configuration, column names, and a preview of the input DataFrame during document generation. In an office-automation skill, those values can easily contain personally identifiable information, financial data, or internal business records, and logs are often retained longer and accessed more broadly than the generated files themselves.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This block logs each row's full contents while writing spreadsheet data, which can expose entire records to application logs. Because the skill generates business documents from user-provided datasets, this creates a secondary sensitive-data store that may be searchable by operators, monitoring tools, or other tenants if logging is centralized.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 核心数据处理
pandas>=1.5.0
numpy>=1.23.0
openpyxl>=3.0.0
Confidence
93% confidence
Finding
pandas>=1.5.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 核心数据处理
pandas>=1.5.0
numpy>=1.23.0
openpyxl>=3.0.0

# Word文档处理
Confidence
93% confidence
Finding
numpy>=1.23.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 核心数据处理
pandas>=1.5.0
numpy>=1.23.0
openpyxl>=3.0.0

# Word文档处理
python-docx>=0.8.11
Confidence
93% confidence
Finding
openpyxl>=3.0.0

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal