ClawHub

document-reader

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local document and archive reader, with some implementation risks around broad parsing and temporary files but no evidence of hidden or malicious behavior.

Install only if you are comfortable letting the agent read the specific documents or archive members you choose. Use an isolated environment, avoid processing untrusted archives or confidential files on shared machines, and consider patching the script to use secure temporary files before handling sensitive material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly enables reading arbitrary local documents and archive contents, but the metadata shown does not declare corresponding file-read permissions. Undeclared file access is dangerous because it obscures the skill's real capability from reviewers and policy controls, increasing the chance of unintended access to sensitive local files or data inside archives.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The textract fallback allows processing of effectively arbitrary file types not explicitly declared in the skill scope, which weakens type restrictions and may invoke complex parsers on untrusted input. In an agent environment, this increases attack surface because document-parsing libraries have a history of parser bugs, resource exhaustion, and unexpected behavior when handling malformed files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Archive members are written to a predictable path under /tmp using the archive basename, which can expose sensitive extracted content to other local users/processes and creates race/symlink risks. Because the filename is not securely randomized and the file is opened normally, an attacker on the same host could potentially pre-create or replace the path to influence reads or writes.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal