ClawHub

Office Document Editor

Security checks across malware telemetry and agentic risk

Overview

This is a real document-editing skill, but it needs review because it has broad file and network transfer powers and one PPTX feature can damage presentations.

Install only if you are comfortable with a document skill that can read local files, download from arbitrary URLs, use SFTP/SSH, upload edited documents, and write Git commits. Avoid using it on sensitive documents unless you have reviewed the scripts, do not use the PPTX slide rearrange feature as written, and prefer explicit local copies over remote sources or destinations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and documents shell execution, arbitrary file reads/writes, and document modification workflows, but does not declare permissions accordingly. This creates a hidden-capability problem where a caller may invoke a seemingly simple document editor without understanding that it can access local files, fetch remote content, and write outputs via shell-driven scripts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The declared purpose is document editing, but the documented behavior expands into arbitrary local file access, public URL downloads, SFTP/SSH retrieval, interactive shell workflows, and content conversion. That mismatch is dangerous because users and policy layers may trust the skill for a narrow editing task while it actually enables broader data ingress/egress and filesystem access than expected.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest frames the skill as an editor with Git support, but the documentation extends it to ingesting files from uploads, arbitrary filesystem paths, URLs, and SFTP/SSH sources. This scope drift increases the chance of unintended sensitive file access or external data transfer under the guise of normal document editing.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Network-based retrieval from public URLs and SFTP/SSH materially expands the attack surface beyond editing office documents. It can be used to pull untrusted content into the environment, access remote systems with provided credentials, or exfiltrate data pathways through remote destinations not implied by the skill's stated purpose.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script permits arbitrary retrieval of files from public HTTPS URLs and SFTP/SSH endpoints, which expands the skill from local document editing into network-capable file acquisition. In an agent context, this can enable unreviewed outbound connections, import of attacker-controlled documents, and access to internal or sensitive network resources if user input is not tightly constrained.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Arbitrary remote file retrieval is a meaningful capability increase for a document editor because it allows the skill to reach external systems and ingest attacker-controlled content. In a tool-execution environment, this broadens the attack surface to SSRF-like behavior, data-flow from untrusted sources, and unexpected network interactions beyond the stated editing purpose.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Advanced mode executes ${EDITOR:-nano} directly, allowing a user-controlled environment variable to select any executable. In an agent or shared automation context, this can trigger unintended command execution or launch unsafe programs outside the skill's document-editing scope, especially because there is no validation or warning before execution.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The function claims to rearrange slides, but it removes all slide IDs from the presentation and never restores them in the requested order. In a document-editing skill, this can silently destroy presentation content and produce corrupted or empty output, creating integrity and availability risk for user documents.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The workflow performs additional data-processing and persistence actions beyond straightforward document editing: it converts the input document to Markdown and automatically stages and commits generated artifacts to Git. This expands the data exposure surface because potentially sensitive document contents are copied into new plaintext artifacts and persisted in version history, which may violate user expectations and increase the risk of inadvertent disclosure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The description does not clearly warn that the skill can modify documents and obtain files from remote or arbitrary local sources. Insufficient disclosure is dangerous here because users may grant trust to a routine editing tool without realizing it can perform potentially sensitive file acquisition and destructive writes.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The SFTP call may automatically use available SSH keys, agent forwarding, or stored credentials to connect to remote hosts without any explicit warning or consent flow. In an agent setting, this can cause unintended use of sensitive credentials and unanticipated outbound authentication attempts to attacker-specified destinations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script launches an external program via the EDITOR environment variable with no disclosure that this is equivalent to executing a local command. Users may believe they are merely editing a JSON file, while the environment can cause arbitrary code or a different tool to run, creating a command-execution and trust-boundary problem.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script uploads the edited document to an arbitrary SFTP destination after only collecting a destination string, without a clear warning that document contents will be transmitted off-host. In document-processing workflows, this can lead to accidental exfiltration of sensitive files to external systems if the operator misunderstands the action or is socially engineered into providing a remote path.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal