ClawHub

专业文档处理

Security checks across malware telemetry and agentic risk

Overview

This document-processing skill appears useful and purpose-aligned, but its broad batch file operations need closer review before installation.

Review this skill carefully before installing. Use it only on selected folders you are comfortable processing, avoid confidential or regulated documents unless you understand where OCR/extracted content goes, and make backups before batch conversion, renaming, encryption, or decryption operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
78% confidence
Finding
The description claims extremely broad applicability such as handling nearly all office document scenarios and being a one-stop tool, but does not define activation boundaries, exclusions, or safety constraints. Overbroad scope can cause the agent to invoke the skill in inappropriate contexts, including on sensitive or unsupported files, which increases the chance of privacy-impacting or destructive operations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill exposes capabilities like batch processing, content extraction, OCR, PDF encryption/decryption, and bulk renaming without any warnings about privacy, sensitivity of document contents, irreversible changes, or legal/compliance implications. In a document-processing context, these features can directly affect confidential files at scale, so missing safeguards materially raises the risk of accidental data disclosure, corruption, or unauthorized handling of protected documents.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal