ClawHub

OpenClaw全领域办公自动化超级Skill完整包

Security checks across malware telemetry and agentic risk

Overview

This office automation skill does useful document work, but it needs Review because it can modify files, send email, and run unsafe shell commands from user-supplied paths.

Install only after review or patching. Treat it as a powerful local automation tool: do not give it sensitive directories or real SMTP credentials until shell=True calls are replaced with safe argument lists, archive extraction is hardened, and explicit confirmations/previews are added for email, attachments, renames, extraction, encryption/decryption, and other file-changing actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            import subprocess
            cmd = f'libreoffice --headless --convert-to pdf "{input_path}" --outdir "{os.path.dirname(output_path)}"'
            result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
            if result.returncode == 0:
                logger.info(f"Word转PDF成功: {output_path}")
                return True
Confidence
99% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            import subprocess
            cmd = f'gs -sDEVICE=pdfwrite -dCompatibilityLevel=1.4 -dPDFSETTINGS=/ebook -dNOPAUSE -dQUIET -dBATCH -sOutputFile="{output_path}" "{input_path}"'
            result = subprocess.run(cmd, shell=True, capture_output=True)
            if result.returncode == 0:
                logger.info(f"PDF压缩成功: {output_path}")
                return True
Confidence
99% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
elif format == "7z":
                import subprocess
                cmd = f'7z a "{output_path}" {" ".join(file_paths)}'
                subprocess.run(cmd, shell=True, check=True)
            
            logger.info(f"压缩成功: {output_path}")
            return True
Confidence
100% confidence
Finding
subprocess.run(cmd, shell=True, check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            import subprocess
            cmd = f'libreoffice --headless --convert-to pdf "{input_path}" --outdir "{os.path.dirname(output_path)}"'
            result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
            if result.returncode == 0:
                logger.info(f"Word转PDF成功: {output_path}")
                return True
Confidence
98% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            import subprocess
            cmd = f'gs -sDEVICE=pdfwrite -dCompatibilityLevel=1.4 -dPDFSETTINGS=/ebook -dNOPAUSE -dQUIET -dBATCH -sOutputFile="{output_path}" "{input_path}"'
            result = subprocess.run(cmd, shell=True, capture_output=True)
            if result.returncode == 0:
                logger.info(f"PDF压缩成功: {output_path}")
                return True
Confidence
98% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
elif format == "7z":
                import subprocess
                cmd = f'7z a "{output_path}" {" ".join(file_paths)}'
                subprocess.run(cmd, shell=True, check=True)
            
            logger.info(f"压缩成功: {output_path}")
            return True
Confidence
99% confidence
Finding
subprocess.run(cmd, shell=True, check=True)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The FAQ states that processing '默认不会修改原文件' and outputs to new files, but the skill also advertises operations such as Word editing, batch rename, merge/split, encryption/decryption, and sync that can directly alter existing files or system state. This mismatch can mislead users or downstream agents into performing destructive actions under a false assumption of safety, increasing risk of data loss or unintended modification.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The documentation states that processing "by default will not modify the original file," but the same skill advertises operations that inherently change state or can act in place, such as document editing, batch replacement, file renaming, encryption/decryption, mail sending, and calendar actions. This mismatch can mislead users or downstream agents into performing destructive or state-changing operations under a false assumption of safety, increasing risk of data loss, unintended transmissions, or unauthorized workflow changes.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
External command execution is broader and riskier than pure document handling, and here it is implemented unsafely through a shell command. In the context of an automation skill that accepts user parameters, this substantially increases the attack surface and can become arbitrary command execution.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
PDF compression via Ghostscript introduces external command execution into the skill and is especially dangerous because it uses shell=True with user-influenced paths. This makes the feature more than just a capability disclosure issue; it is an actual code execution risk.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
Generic archive compression through a shell-executed 7z command materially expands the skill's power beyond normal document formatting and creates a command injection surface. In this context, a broad file-processing skill paired with unsanitized shell execution is dangerous because arbitrary file names are often attacker-controlled.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The document asserts that all operations do not modify original files, but the skill also includes actions that clearly change external state, such as sending emails, adding schedules/todos, and renaming or extracting files. This mismatch can cause users or downstream agents to trust the skill as non-destructive when it can in fact alter data or trigger side effects.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill is described as a comprehensive 'super skill' for nearly all office tasks, which makes activation scope highly ambiguous and likely to overlap with ordinary requests. In an agent environment, this can cause overbroad invocation and accidental execution of sensitive capabilities like file modification, email generation/sending, or calendar actions when the user only intended a narrow task.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill includes impactful outbound and account-affecting features such as batch email sending, auto-reply, schedule extraction, calendar linking, reminders, and room booking, but the documentation does not prominently warn that these actions can contact external parties or modify user accounts and calendars. In an autonomous agent setting, unclear guardrails around these actions can lead to unauthorized communications, spam, privacy exposure, or unintended scheduling changes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation advertises batch replace, formatting, merge, split, encryption, and other file-changing operations without clearly warning users about potential overwrites, irreversible transformations, or bulk impact on user data. In practice, this can cause accidental corruption, loss of originals, or broad unintended changes when invoked by an agent at scale.

Missing User Warnings

Low
Confidence
97% confidence
Finding
Archive extraction is performed with extractall on ZIP and RAR files without validating member paths. Malicious archives can exploit path traversal ('zip slip') using entries like ../../.ssh/authorized_keys to overwrite arbitrary files outside the target directory.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README advertises bulk email sending and attachment handling but provides no warning about consent, privacy obligations, recipient validation, or external data transmission. In an automation skill, this can normalize high-risk behavior that could lead to spam, unintended disclosure of sensitive documents, or misuse of personal data if operators assume the feature is safe by default.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The documentation promotes broad document, spreadsheet, presentation, PDF, and utility operations without clearly warning about writes, overwrites, conversions, merges, and generated outputs that may alter or replace user data. Although the README claims original files are not modified, the listed capabilities still create a risk of accidental data loss, misplaced outputs, or unsafe assumptions if output paths, temp files, or conversions are handled incorrectly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The manifest advertises impactful actions including email sending, PDF decrypt/encrypt, file extraction, compression, batch rename, and schedule modification, but provides no visible user-facing warning, consent model, or safeguard metadata. In an agent environment, that can enable unintended file changes, data disclosure, or external communications if these actions are exposed without clear approval gates.

Vague Triggers

High
Confidence
93% confidence
Finding
The trigger list is extremely broad and paired with 'semantic auto-recognition', making accidental activation likely from ordinary office-related conversation. In a powerful automation skill that can modify files, send emails, and schedule events, unintended activation can lead to unauthorized actions or sensitive data being processed without clear user intent.

Missing User Warnings

High
Confidence
96% confidence
Finding
The email workflow collects SMTP server details, usernames, passwords, recipients, and attachments, but provides no warnings about credential sensitivity, consent, or outbound data exposure. In context, this is especially dangerous because email sending is an external side-effecting action that can leak data, abuse user accounts, or be triggered unintentionally by the broad activation rules.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file-operation sections describe batch renaming, compression, extraction, and output creation without warning users that these actions can overwrite names, create many files, or expand untrusted archives into the filesystem. Given this skill's office-automation context, missing warnings increase the chance of user confusion, accidental data loss, or unsafe handling of archive contents.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal