clawbox-link-to-docs

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill does what it advertises: fetches a user-provided link and stores the source plus an analysis in Feishu documents.

Install this only if you want the agent to fetch web pages and create Feishu documents in your workspace. Before using it with internal, paywalled, personal, or confidential links, confirm the Feishu destination and sharing permissions because the full source text may be retained there.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly fetches arbitrary external URLs and creates or updates Feishu documents, but it does not state any user-facing consent, scope restriction, or safety checks around network access and document modification. This can lead to unintended data import, SSRF-style access to internal URLs if URL handling is not constrained by the runtime, or overwriting/creating documents in a user's workspace without sufficiently explicit approval.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal