ClawHub
Back to skill

Security audit

Google Docs

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Google Docs automation skill, but it can read, edit, overwrite, and export documents through Maton.

Install only if you trust Maton with the Google Docs content and edits routed through its gateway. Protect MATON_API_KEY, verify document IDs before write/replace/export commands, use append or narrow edits when possible, and avoid exporting sensitive documents to shared or temporary paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill demonstrably requires and documents access to environment variables, network calls, and local file writes/reads, but those capabilities are not explicitly declared as permissions. This creates a transparency and governance gap: an agent or reviewer may authorize the skill under incomplete assumptions, increasing the risk of unintended secret access or outbound data transfer.

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The skill description says it is for interacting with Google Docs documents, but the documented behavior also includes listing OAuth connections and creating new ones through the Maton control API. That broader control-plane functionality changes the trust boundary and can let the skill enumerate account linkage state or initiate new authorization flows beyond ordinary document operations.

Description-Behavior Mismatch

Low
Confidence
81% confidence
Finding
The implementation supports exporting TXT, HTML, ODT, RTF, and EPUB in addition to the stated PDF/DOCX scope. Scope expansion matters because document-export features are high-value exfiltration paths, and undeclared capabilities can bypass user and platform expectations about what the skill is allowed to do.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The skill includes listing and creating OAuth connections, which is broader than simple document read/write operations. In an agent setting, connection-management expands privilege and account-linking surface area, making it easier for a workflow to initiate or enumerate authenticated integrations without that capability being clearly justified in the skill description.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README advertises capabilities such as clearing, overwriting, appending, and replacing document content without clearly warning that these actions can modify or destroy existing user data. In an agent-integrated context, this increases the risk of unintended destructive actions if a user or agent invokes the skill without explicit confirmation safeguards.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README emphasizes convenience through the Maton gateway but does not prominently disclose that document contents and API requests are transmitted through a third-party service. Because this skill handles potentially sensitive document data, insufficient privacy disclosure can cause users to unknowingly expose confidential content to an external processor.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill documents destructive content-modification operations such as batch updates and later deletion/overwrite-related requests without clear warnings, confirmations, or safeguards. In an agent setting, this increases the chance of accidental document corruption or irreversible content loss when the model interprets an ambiguous user request too broadly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The CLI example advertises a `write` operation that overwrites an entire document but does not warn the user that existing content will be replaced. This is dangerous in automation contexts because users may assume it appends or edits incrementally, leading to unintended data loss.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The write command deletes the full document body and replaces it without any interactive warning, dry-run, revision check, or confirmation step. In an agent context this is risky because a mistaken prompt, wrong document ID, or ambiguous instruction can cause irreversible data loss or overwrite important content at scale.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal