Doc Handler - 文档处理
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: doc-handler Version: 1.0.0 The skill is classified as suspicious due to a significant arbitrary file read vulnerability. The `doc_handler.py` script takes a file path directly from command-line arguments and attempts to read it, regardless of its location or sensitivity. This allows an attacker, through prompt injection against the AI agent, to potentially read any file on the system (e.g., `/etc/passwd`, `~/.ssh/id_rsa`). While the `SKILL.md` examples are benign, they demonstrate the agent's ability to execute arbitrary Python code, further highlighting the risk of code execution if the agent is prompted maliciously. There is no clear evidence of intentional malicious behavior like data exfiltration or persistence.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Any document opened with this skill may be visible to the agent, and text inside the document should be treated as untrusted content rather than instructions.
The tool extracts and prints the contents of a user-selected document, which is expected for a document reader but means private or instruction-like document text can enter the agent context.
filepath = sys.argv[2] ... if cmd == 'read': ... print(read_file(filepath))
Use the skill only on files you intend the agent to read, and treat extracted document text as data that may contain sensitive or misleading content.
Users may need to install dependencies themselves and should ensure they come from trusted package sources.
The skill depends on Python packages but does not provide a source homepage, install specification, or pinned dependency information; this is a provenance/setup gap, not evidence of malicious behavior.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Install required packages from trusted repositories, consider pinning versions, and verify the included code before use.
Users may expect editing support that the provided code does not actually implement.
The documentation advertises editing/writing support, but the included source only accepts `read`; this could mislead users about available functionality, though no hidden or destructive write behavior is shown.
description: 读取和编辑 Word、PDF、Excel 文档 ... | 写入 Word | `python3 -m doc_handler write docx 文件 "内容"` |
Treat this skill as a document reader unless a reviewed write implementation is added.