ClawHub

Proposal Editor

Security checks across malware telemetry and agentic risk

Overview

This skill is a focused proposal/report document editor with visible document-editing behavior and no evidence of hidden data theft, persistence, or unrelated system control.

Install this if you want a Chinese-language assistant for proposal and report DOCX editing. Work on copies or backups of important documents, review proposed changes before accepting them, and approve any pandoc or python-docx installation or command use explicitly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger conditions are broad enough to match many ordinary document-editing requests, which can cause this specialized skill to activate when the user did not intend it. In an agent system, unintended activation can route user data and editing tasks through the wrong workflow, increasing the chance of incorrect edits, privacy exposure to unnecessary tooling, or bypass of a more appropriate general-purpose skill.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow instructs direct modification of .docx content via pandoc, python-docx, or raw XML editing, but it does not require backups, integrity checks, or safe-write procedures before altering the original file. In a document-editing skill, this creates a real risk of accidental corruption, formatting loss, or irreversible overwrites, especially when using unzip/XML-repack steps that are fragile and can silently damage Office documents.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal