ClawHub

wecom-workplan-summary

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed WeCom work-plan summarizer, but it can read a fixed team smart sheet and temporarily writes pasted data to /tmp.

Install only if you are authorized to access the named WeCom smart sheet and process team work-plan records. For pasted data, consider deleting /tmp/workplan_paste.tsv after use or using a private temp path in shared environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The manifest says the skill should only trigger when the user explicitly provides workplan data or explicitly points to a WeCom sheet, but the body embeds a fixed docid/sheet_id and operational steps to retrieve that remote dataset directly. This creates a capability to access a preconfigured external data source beyond the user's supplied input, which can expose internal team planning data and violates least surprise and least privilege.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Embedding a fixed smart-sheet identifier inside the skill effectively bakes in access to a specific remote dataset, even though the manifest frames operation around user-provided data or an explicit user pointer. In practice this weakens data-boundary guarantees and can cause unauthorized or unintended retrieval of potentially sensitive business records.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documented MCP branch allows pulling records from a preconfigured WeCom sheet whenever the user asks to 'read from WeCom,' which is broader than the manifest's stricter requirement that the user explicitly provide data or a specific pointer. This mismatch increases the chance of silent overreach into remote data access and may expose sensitive team workplan information without sufficiently explicit user direction.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill metadata says it should run only when the user explicitly provides workplan data or points to a WeCom sheet, but the code embeds a specific docid and sheet id and will fetch that remote sheet by default. This creates an unauthorized data access path that can expose internal team planning data even when the user did not explicitly supply or authorize that source in the current request.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This function unconditionally provides the capability to read a preconfigured remote smart sheet, which is broader than the stated purpose of summarizing user-supplied workplan data. In an agent setting, that mismatch increases the chance of overreach and unintended disclosure of sensitive employee schedules, project details, or management activity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal