ClawHub

腾讯文档技能

Security checks across malware telemetry and agentic risk

Overview

This Tencent Docs skill does what it claims, but it grants broad live document control and exposes an authorization token in command output, so it needs careful review before installation.

Install only if you are comfortable giving this skill persistent Tencent Docs access to read, create, edit, delete, import/export, scrape into, and publicly share documents. Protect the mcporter token and command logs, avoid shared machines, verify exact file IDs and sheet ranges before destructive edits, and manually confirm any public-read/public-edit permission change or local file upload.

Publisher note

腾讯文档技能

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (21)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation inconsistently describes `properties.sheet_id` as a worksheet name while the rest of the file defines `sheet_id` as an identifier. This can cause callers or downstream agents to send the wrong value into a create operation, leading to mis-targeted object creation, logic errors, or accidental modification/deletion of the wrong worksheet when later steps rely on returned IDs.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script's public interface/documentation says the wait step returns TOKEN_READY, but the implementation actually prints TOKEN_READY:<token>, disclosing the raw authorization token to stdout. In agent and automation contexts, stdout is commonly logged, surfaced to orchestration layers, or shown to users, so this leaks a reusable credential beyond its intended storage location.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill description contains broad trigger phrases like '新建文档', '创建文档', and '请优先使用本 skill', which can cause the agent to route many generic document-related requests to this skill even when another tool would be safer or more appropriate. This increases the risk of over-invocation, accidental data access, or unintended document creation/modification because the routing guidance is framed as a blanket priority rather than a narrowly scoped capability declaration.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises destructive file-management actions including delete, move, and overwrite-capable operations near the top-level description, but it does not pair those capabilities with prominent safety constraints such as confirmation requirements, scoping limits, or explicit warnings before destructive use. In an agent setting, this can normalize risky operations and increase the chance of accidental deletion or modification of user documents, especially when combined with broad invocation cues and extensive file-management authority.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README directs the agent to transmit user-provided document content to an external MCP service (`tencent-docs` / `doc.ai_format_pure_text`) but does not require any explicit disclosure, consent, or data-handling warning before doing so. Because the content may contain contracts, essays, government documents, or other sensitive text, this creates a real privacy and data-exposure risk if users are unaware their input leaves the local processing context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The manual fallback instructs the operator to paste an authorization token directly into persistent local mcporter configuration for multiple services, but it provides no warning about secret handling, storage lifetime, shell history exposure, or least-privilege considerations. This can lead to credential leakage through command history, shared home-directory config, logs, or reuse of an over-scoped token across services.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document exposes a capability to change document or space permissions to 'all can read' or 'all can edit' without requiring an explicit confirmation or warning about data exposure. In an agent context, this increases the chance of accidental oversharing of sensitive documents or unauthorized broad edit access, especially if an agent follows terse user instructions without surfacing the risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The deletion workflow instructs searching by keyword and then deleting the matched document without a mandatory confirmation of the exact target or deletion scope. In an agent-driven workflow, ambiguous search results or mistaken file selection could lead to destructive actions against the wrong document or, in related contexts, broader-than-intended deletion.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The document exposes destructive delete operations without prominent warnings about irreversibility, confirmation requirements, or safeguards. In an agent setting, such docs can normalize direct execution of deletion calls and increase the chance of accidental data loss, especially when the model is following procedural references autonomously.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow examples actively instruct bulk cleanup of default rows and columns, including listing IDs and deleting them, but do not require a user-facing confirmation or warn about irreversible impact. Because these are step-by-step agent-consumable instructions, they materially increase the risk of unintended destructive actions against real documents rather than merely describing API capability.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow explicitly includes destructive file deletion as a routine operation but provides no guidance to require user confirmation, warn about irreversibility, or verify the target before deletion. In an agent setting, this increases the chance of accidental or prompt-induced data loss because the model may treat deletion as a normal next step without adequate safeguards.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The web scraping workflow states that any mentioned URL must be fetched and automatically saved as a document, but it does not warn about privacy, copyright, sensitive content ingestion, or unintended persistence in the user's workspace. This is risky because merely referencing a URL could cause external content to be imported and retained without clear consent or data-handling notice.

Missing User Warnings

High
Confidence
99% confidence
Finding
Emitting the authorization token directly to stdout exposes a bearer secret that can be captured by terminal scrollback, shell history wrappers, agent transcripts, CI logs, or parent processes. Because the token is then reusable for authenticated API access, disclosure can enable account or document access by anyone who obtains the logs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The interactive fallback prints a full shell command containing the live Authorization token. This encourages copying, logging, or screenshotting a sensitive credential and increases the chance the token is stored in terminal history or support transcripts.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill documents destructive operations such as deleting rows/columns and clearing data without requiring confirmation, preview, or user-visible warning. In an agentic environment, that increases the risk of accidental or misinterpreted commands causing irreversible spreadsheet data loss.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Range.clear() removes contents, formatting, and formulas, but the instructions present it as a normal operation without strong warning about irreversible loss. That makes accidental broad-range clearing much more likely when the agent misidentifies the active sheet or target range.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document exposes destructive sheet operations such as clearing content/styles and deleting rows or columns, but provides no guidance to require user confirmation, preview affected ranges, or warn about irreversible changes. In an agent skill context, this increases the chance of accidental data loss if a model invokes these tools from ambiguous or overly broad instructions.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The API documentation allows identifying documents by file URL and includes data retrieval capabilities, but does not warn about privacy, sensitive spreadsheet contents, or the risks of fetching data from unintended documents. In an agent setting, omission of these guardrails can lead to over-collection or disclosure of spreadsheet data when users provide URLs containing sensitive business information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly exposes destructive operations such as deleting rows/columns and clearing content/styles, but provides no warning about data loss, irreversibility, or the need to confirm intent before execution. In an agent context, this increases the chance of accidental destructive actions on real user spreadsheets, especially because the document token is reused automatically and operations target live documents.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflows instruct the agent to directly modify cell values, styles, filters, links, merges, and dimensions without stating that these actions will alter the user's document. In a live-editing skill, omission of modification disclosure can mislead users and cause unauthorized or unintended changes, particularly when write access is assumed and the service is designed for precise editing.

External Transmission

Medium
Category
Data Exfiltration
Content
echo "✅ 获取上传链接成功"
echo ""

# ── Step 2: 使用 curl PUT 上传文件到 COS ─────────────────────────────────────
echo "⏳ 正在上传文件到 COS..."

HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
Confidence
93% confidence
Finding
curl PUT 上传文件到 COS ───────────────────────────────────── echo "⏳ 正在上传文件到 COS..." HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" \ -X PUT \ -H "Content-Type: application/octet-stream" \

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal