ClawHub

WPS Word Document

Security checks across malware telemetry and agentic risk

Overview

This DOCX skill mostly matches its document-editing purpose, but it can silently contact arbitrary image URLs and can delete a chosen unpack directory during local processing.

Review before installing. Use this skill only in a dedicated working directory, avoid converting untrusted HTML that contains remote image URLs, and do not point unpack output at any folder with important files. Static scan was clean and VirusTotal was pending; the Review verdict is based on the artifact code and instructions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill instructs use of file read/write operations and references remote URL fetching for images, yet no explicit permissions are declared. This creates a governance gap: an agent may be allowed to perform sensitive filesystem or network actions without clear user-visible scoping or policy review, increasing the chance of unintended data access or exfiltration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose is generic DOCX creation/editing, but the referenced behavior includes remote image retrieval, base64 document emission, and low-level unpack/pack XML tooling. These materially expand the trust boundary beyond ordinary document editing, enabling hidden network access and alternate data output channels that can bypass user expectations and increase abuse potential.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The converter dereferences attacker-controlled <img src> values and performs outbound HTTP(S) requests during document generation. This creates an SSRF/privacy-leak surface: converting untrusted HTML can trigger network access to internal services or external trackers, and the skill description does not imply any network behavior.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill behavior includes hidden remote resource retrieval that is not reflected in the skill metadata or user-facing description. In an agent context, undisclosed network access is dangerous because user-provided HTML can cause the tool to contact third-party or internal endpoints unexpectedly, violating least surprise and potentially leaking environment metadata.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The helper calls ZipFile.extractall() on a user-supplied DOCX/ZIP without validating member paths. A crafted archive containing entries with path traversal sequences or absolute paths can write outside output_dir, potentially overwriting arbitrary files when the skill processes an untrusted document.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends outbound requests for remote images without any visible warning, confirmation, or provenance check. This can leak IP address, headers, timing, and potentially reach sensitive internal destinations when processing untrusted HTML, which is especially risky in automated agent workflows.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal