ClawHub

Easydoc Extract

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward EasyLink document-extraction helper, but users should know their selected documents are sent to EasyLink's external API.

Install only if you are comfortable sending the chosen PDFs or images, extracted contents, and task metadata to EasyLink's external service. Avoid regulated, confidential, or customer documents unless you are authorized and have checked EasyLink's privacy, retention, and regional handling terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill is designed to upload user documents to a third-party API for extraction, but the description does not clearly warn users that both the source files and extracted contents leave the local environment. Because documents may contain sensitive personal, financial, or corporate data, omission of this disclosure increases the risk of unintentional data exfiltration.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill hardcodes a single CN/EasyLink platform and presents it as the only option without explaining data residency or locale implications. For document extraction workflows, this can route sensitive records into a jurisdiction or service region the user did not intend, creating compliance and privacy exposure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document explicitly instructs users to upload one or more files to a third-party API, including PDFs and identity/business documents, but provides no warning that sensitive contents will leave the local environment. In a skill context, this omission is security-relevant because users may submit confidential or regulated documents without informed consent or data-handling guidance.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This script uploads arbitrary user-supplied documents to a third-party API, but it does not provide an explicit user-facing privacy or data-transmission warning beyond the technical description and CLI usage. In a document-extraction skill, files may contain sensitive PII, financial, or corporate data, so silent transmission to an external service creates a real confidentiality and compliance risk if users are not clearly informed.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal