ClawHub

OC Doc Generator

Security checks across malware telemetry and agentic risk

Overview

This appears to be a straightforward documentation generator that reads selected source code and can save or export generated docs, with no evidence of hidden or malicious behavior.

Install this only if you want an agent to inspect selected source files to generate API or technical docs. Specify exact paths, review generated docs for secrets or internal-only details, and use Feishu export only when you are comfortable sending that content to your Feishu workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly instructs reading source files and writing generated output to local files or external document systems, yet it declares no permissions. This creates a transparency and governance gap: the agent may perform file access and write operations without explicit user-facing permission boundaries, increasing the risk of unintended data exposure or unauthorized modification.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are overly broad and likely to match ordinary requests about writing or generating documents, causing the skill to activate outside the user's intent. In this skill, accidental activation is more dangerous because it can read source code and potentially write outputs locally or to Feishu, expanding the blast radius of a simple misroute.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises generating documentation but does not prominently disclose that it may write content to local files or external Feishu documents. Hidden write/export behavior can lead to unintended data exfiltration or unauthorized persistence of sensitive code-derived content, especially when source code may contain internal interfaces or secrets in comments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal