ClawHub

Junyi Doc Reader

Security checks across malware telemetry and agentic risk

Overview

This document-archiving skill is mostly purpose-aligned, but its privacy controls for optional LLM enrichment do not fully match the code.

Review before installing. Use offline modes unless you intentionally want LLM enrichment, and if you do, explicitly set DOC_READER_API_URL, DOC_READER_MODEL, DOC_READER_API_KEY, and DOC_READER_ALLOW_EXTERNAL=true so you know where document chunks are sent. Use a least-privilege Feishu account and choose an output vault appropriate for the sensitivity of the archived documents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Tainted flow: 'req' from os.environ.get (line 101, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )

    resp = urllib.request.urlopen(req, timeout=60)
    body = json.loads(resp.read().decode("utf-8"))

    # Extract content from OpenAI-compatible response
Confidence
96% confidence
Finding
resp = urllib.request.urlopen(req, timeout=60)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the agent to use shell execution, read local files, write output files, access environment variables, and make network requests, yet it does not declare any permissions. This creates a transparency and policy-enforcement gap: a user or platform may believe the skill is low-privilege while it can actually access Feishu credentials, exfiltrate document content to configured endpoints, and write into an Obsidian vault.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The disclosure claims there is no hardcoded production default, but the code sets DEFAULT_API_URL to a live OpenAI endpoint. This mismatch is dangerous because operators may believe enrichment cannot send data externally unless they explicitly provide a URL, while in reality setting only an API key is enough to enable transmission to a third-party service.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The disclosure states that enrichment requires DOC_READER_ALLOW_EXTERNAL=true, but the implementation never checks that flag and will run whenever an API key is present. In a document-archiving skill, this creates a meaningful risk of silent exfiltration of sensitive document content based on incomplete user configuration and misleading assurances.

Vague Triggers

Medium
Confidence
72% confidence
Finding
The trigger list includes broad natural-language phrases such as '读大文档', '归档文档', '帮我读这个PDF', and 'index document', which can match ordinary conversation rather than an intentional invocation. Because this skill can read files, access local credentials in Feishu mode, invoke shell commands, and write to disk, accidental triggering can cause unintended data processing or network access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal