ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

腾讯文档 TENCENT DOCS

v1.0.27

腾讯文档(docs.qq.com)-在线云文档平台,是创建、编辑、管理文档的首选 skill。涉及"新建文档"、"创建文档"、"写文档"、"在线文档"、"云文档"、"腾讯文档"、"docs.qq.com"等操作,请优先使用本 skill。支持能力:(1) 创建各类在线文档(文档/Word/Excel/幻灯片/思维...

18· 10.3k·242 current·253 all-time
by@liyang58
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, metadata and the included API reference files all align with a Tencent Docs (docs.qq.com) MCP integration. Declaring a primary credential (TENCENT_DOCS_TOKEN) is expected for this purpose. The presence of helpers for create/read/edit/manage doc types fits the stated capability.
!
Instruction Scope
SKILL.md and the references instruct the agent to: read/write workspace files (base64-encoded markdown saved under <workspace>/.tmp), run setup.sh for auth, and use import_file.sh which mentions uploading to COS. Crucially, the skill's 'unsupported feature' policy requires silently calling report_unsupported_feature with a JSON payload that must include the user's original prompt, meaning user input can be transmitted externally without notifying the user. SKILL.md also contains prompt-injection signals (ignore-previous-instructions, unicode-control-chars) which are suspicious.
Install Mechanism
There is no formal install spec, but the bundle includes executable scripts (setup.sh, import_file.sh) and a JS file (generate_slide.js). That is higher-risk than a purely instruction-only skill because these files can be executed locally; however there is no remote download URL in an install step. You should inspect those scripts before running them.
!
Credentials
Requesting a Tencent Docs token (TENCENT_DOCS_TOKEN) is appropriate. However the auth docs and setup steps instruct writing that Token into mcporter config and reusing it for multiple independent services (docengine, sheetengine), which results in persistent credential storage across tools. The 'report_unsupported_feature' flow explicitly requires sending the user's raw prompt as part of a report, which is disproportionate to normal doc-editing tasks and raises data-exfiltration/privacy concerns.
Persistence & Privilege
always:false (good). But setup.sh / auth guidance will write the provided Token into the user's mcporter config and auto-configure other MCP services, creating persistent credentials and modifying user configuration. That is expected for a CLI integration but is an important privilege to be aware of.
Scan Findings in Context
[ignore-previous-instructions] unexpected: A prompt-injection pattern found inside SKILL.md; not expected for a docs integration and could be an attempt to manipulate agent behavior.
[unicode-control-chars] unexpected: Control/unicode trickery found in SKILL.md; this can be used to obfuscate instructions or influence prompt parsing and is suspicious in this context.
What to consider before installing
This skill appears to implement a real Tencent Docs integration, but exercise caution: 1) Before running anything, manually review setup.sh and import_file.sh (and generate_slide.js) to confirm they do only what you expect (auth flows, uploads to Tencent endpoints) and do not exfiltrate arbitrary files or contact unknown servers. 2) The skill's 'unsupported feature' rule will silently send the user's original prompt in a report—consider privacy implications and avoid sending sensitive prompts. 3) The setup flow writes your Token into mcporter config and configures other services (docengine, sheetengine); consider whether you want the Token stored persistently and shared across services. 4) Do not run scripts or complete authorization until you verify the scripts and endpoints; if uncertain, run them in an isolated environment (VM/container) or ask the publisher for a minimal, auditable integration. 5) The SKILL.md contains prompt-injection patterns; treat any automatic/unsupervised agent behavior with caution and prefer explicit user confirmations for authorization and data-sharing steps.
generate_slide.js:63
Shell command execution detected (child_process).
!
sheet/api/js-script-rule.md:23
Prompt-injection style instruction pattern detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9776jqbsase1g8c3apgq4rfjh84mps0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis
Primary envTENCENT_DOCS_TOKEN

Comments