Document Processor

Security checks across malware telemetry and agentic risk

Overview

This is a local PDF and Word processing skill with expected file conversion behavior, but users should be careful with dependency installation, output files, and OCR temporary data.

Install dependencies in a virtual environment, avoid administrator/root execution, only process files and folders you explicitly choose, use new output filenames to prevent overwrites, and delete OCR temporary directories after working with sensitive documents.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: """运行命令并显示进度""" print(f"🔧 {description}...") try: result = subprocess.run(cmd, shell=True, capture_output=True, text=True) if result.returncode == 0: print(f" ✅ 完成") return True
Confidence: 98% confidence
Finding: result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill exposes powerful capabilities via `exec`, `write`, and shell-based usage examples while the static finding indicates permissions are not explicitly declared in the expected security model. When a skill can execute commands and write files without clear permission scoping, users and policy systems may underestimate its ability to modify the environment or run unintended commands. In this context, the danger is increased because the skill directly instructs running Python scripts and installing packages, which expands execution beyond simple document manipulation.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 81% confidence
Finding: The declared purpose centers on document processing, but the skill also includes OCR analysis, page-label inference, and package installation behavior. This mismatch can mislead users and security reviewers about the actual operational scope, causing them to approve a skill that performs broader actions than expected, especially environment modification through dependency installation. The context makes this somewhat more dangerous because document-processing skills often handle sensitive local files, so hidden or underemphasized behaviors increase trust risk.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The README states that OpenClaw will automatically detect and activate the skill whenever a user needs document processing, but it does not define narrow activation boundaries or require explicit confirmation before acting. In an agent environment, overly broad activation can cause the skill to trigger on ordinary conversations and perform unintended file operations, increasing the risk of accidental data access or modification.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The usage examples describe conversion and extraction commands that write output files, but the README does not warn users about overwrite behavior, input/output path safety, or the possibility of modifying or replacing existing files. In practice, this can lead to accidental data loss, clobbering important documents, or unsafe operation in shared directories when the agent selects default filenames or reuses existing paths.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The processor saves extracted page images and OCR text to a temporary directory on disk, which can persist sensitive document content locally beyond the active operation. In environments handling confidential PDFs, this increases the risk of unintended disclosure through leftover temp files, backups, endpoint scans, or other local users/processes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal