Back to skill

Security audit

Kingdoc 2.1.0

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent KingDoc document-management integration, but it asks for broad cloud document authority while several destructive and credential-handling safeguards are only documented, not enforced in the artifacts.

Review before installing. This skill is not showing artifact-backed malware or hidden exfiltration, and VirusTotal is clean, but it can read, edit, overwrite, share, delete, and permanently destroy KingDoc files using broad personal/team scopes. Install only in an environment where plaintext config.json secrets are protected, avoid granting more OAuth scopes than needed, require human confirmation for overwrites, sharing, permission changes, rollback, delete, and permanent destroy, and rotate the App Secret if the skill directory or logs may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and documents capabilities that imply file read/write, network access, and shell execution, yet no explicit permission declaration is present. This creates a transparency and least-privilege problem: users and hosting platforms cannot accurately assess or constrain what the skill may do, increasing the risk of unexpected local file modification, command execution, or data egress.

Tp4

High
Category
MCP Tool Poisoning
Confidence
82% confidence
Finding
The documented purpose does not fully disclose several behaviors, including local document generation, external update checks/reporting, and account/quota queries. Undisclosed behaviors are dangerous because they expand the actual trust boundary beyond what a user would reasonably expect, especially where local file creation and outbound network requests are involved.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill exposes self-reporting and update-check capabilities that are not necessary for core document management and create an auxiliary outbound communication path. Even if these endpoints appear harmless, they expand the attack surface and could be abused for telemetry, environment fingerprinting, or covert signaling outside the expected document workflow.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README presents natural-language trigger examples such as '帮我写一份会议纪要' and '把这个 PDF 传到云端' that are broad enough to overlap with ordinary user conversation. In a skill that can create, modify, upload, and roll back cloud documents, such broad invocation patterns increase the chance of accidental activation and unintended state-changing operations.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The trigger phrases are very broad and overlap with ordinary user requests such as writing notes, creating tables, or reading documents. In agent ecosystems, overly generic triggers can cause the skill to activate in situations where users did not clearly intend file operations, uploads, permission changes, or cloud interactions, leading to unintended data access or modification.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill states that all write operations are recorded to a local audit log, but the description does not give a clear user-facing warning about what data is logged, where it is stored, or how long it is retained. Audit logs can capture sensitive document content, filenames, identities, or sharing actions, creating local privacy and data retention risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The editing workflow for documents and presentations relies on local generation followed by upload/overwrite, but the description does not clearly warn users that existing cloud files may be replaced or that content will be uploaded as part of the edit path. This can cause accidental data loss, exposure of sensitive local content, or destructive overwrites if users assume in-place granular editing.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The delete tool performs a remote file deletion immediately with no built-in confirmation, dry-run mode, or safety interlock. In an agent context, this increases the chance of accidental or prompt-induced destructive actions against user data because the operation is one API call away from execution.

Missing User Warnings

High
Confidence
96% confidence
Finding
The permanent destroy operation irreversibly deletes files from trash without any explicit warning or confirmation barrier in the tool interface. In an autonomous or semi-autonomous agent setting, this materially raises the risk of unrecoverable data loss from misuse, prompt injection, or operator error.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This tool overwrites remote document content directly and does not expose any confirmation, diff preview, or concurrency guard beyond an optional version field. That makes unintended data corruption or loss more likely if an agent is manipulated into writing arbitrary content or if the caller omits version control.

Missing User Warnings

High
Confidence
99% confidence
Finding
The CLI test flow prints the bearer access token to stdout, which can expose it through terminal history, logs, CI job output, shell capture, or monitoring systems. Anyone who obtains the token may be able to access KingDoc APIs with the granted scope until the token expires.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow explicitly creates a share link with permission="edit" and returns the URL, but provides no warning about who can access it, whether the link is externally reachable, or the risks of granting edit access. In a document-management skill, this can lead users to unintentionally expose or allow modification of sensitive content, especially because the example normalizes link sharing as a default completion step.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The notification workflow sends document update details to an external WeCom webhook, including document name, updater, and timestamp, without any privacy or data-export warning. In this skill's context, where users manage the full lifecycle of online documents, such outbound notifications can disclose sensitive metadata or content-derived context to third-party channels if used carelessly or misconfigured.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script converts the secure string back into plaintext and writes it to config.json on disk, exposing the App Secret to any local user, malware, backup system, or process that can read the file. This is especially risky because the secret grants production API access with read/write scopes over user and team files, so compromise could lead to unauthorized document access or modification.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The installer collects an App Secret interactively and writes it in plaintext to config.json on disk without warning the user or applying any file-permission hardening. This creates a real credential exposure risk because other local users, backup systems, malware, shell history substitutes, or accidental commits can recover the secret and abuse the document API with the granted scopes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.