ClawHub

Huo15 Openclaw Office Doc

Security checks across malware telemetry and agentic risk

Overview

The skill mainly generates Word and PDF documents, but it also includes default enterprise credential reuse, insecure Odoo network access, persistence, and unrelated agent-configuration behavior that users should review before installing.

Install only if you are comfortable with the skill using local files and, by default, attempting Odoo access with existing OpenClaw credentials when company info is missing. Prefer running document commands with explicit --company-name and --logo-path or --no-odoo, review ~/.huo15/company-info.json and any memory files it creates, and avoid running generate-config.sh unless you intentionally want it to write OpenClaw workspace/persona/memory files. The deployment template should also be edited to remove or replace the admin/admin test credential before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documented workflow expands from local document rendering into retrieval of company data from Odoo plus persistence in local cache and memory. That broadens data exposure and creates a data-handling pathway for potentially sensitive corporate identity information that is not necessary for many document-generation tasks.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Automatic Odoo res.company lookup introduces external enterprise-system access into a skill whose core purpose is document creation. If invoked in the wrong context, the skill could pull internal company metadata or logos using local credentials without the user realizing the request triggered business-system access.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to read and write long-lived memory records containing company identity data, which exceeds transient document rendering. Persistent storage increases the blast radius of mistakes or compromise because sensitive organizational details may remain accessible to future tasks or unrelated contexts.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
A local company-info helper unexpectedly reads Odoo credentials from other application directories and contacts a remote ERP service to fill missing fields. In a document-generation skill, this expands the trust boundary and introduces credential and network access behavior that users may not reasonably expect from a local metadata utility.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code disables TLS certificate validation and hostname checking before authenticating to Odoo and retrieving company data. This allows a man-in-the-middle attacker to intercept credentials, tamper with returned metadata, or substitute malicious content during the remote fetch.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script generates broad assistant workspace files such as SOUL.md, MEMORY.md, AGENTS.md, and BOOTSTRAP.md that establish persona, behavior, and long-term memory, which is unrelated to a Word/PDF document-generation skill. This expands the skill from document rendering into general agent reconfiguration, increasing the attack surface and enabling persistent behavioral influence beyond the declared purpose.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The generated instructions tell the agent to write important information from every conversation into persistent memory files. In a document-generation context, this creates unnecessary retention of potentially sensitive business, legal, and personal data and gives the skill a durable mechanism to shape future agent behavior outside the immediate task.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are very broad and overlap with ordinary requests such as writing documents, contracts, reports, or PDFs. Overbroad activation can cause the skill to run in unintended situations, which is more dangerous here because the skill also includes shell, file, persistence, and network-adjacent behaviors.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Generic aliases like '文档生成', 'Word生成', and 'PDF生成' are likely to collide with many benign user requests and other skills. This increases the chance of accidental invocation and unintended side effects, especially when the skill can write files and access persisted company information.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The fallback trigger for generic '合同 / 协议 / 协议书 / 补充协议' is too broad and can capture many common legal-writing requests. Because the skill may also auto-fetch company data and persist identity details, accidental invocation could lead to unintended access or state changes during a routine drafting request.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger section repeats many ambiguous activation phrases without clear boundaries, effectively maximizing the chance of invocation on everyday writing requests. In a skill with side effects beyond text formatting, ambiguous routing is a meaningful security issue because it can unexpectedly expose files, memory, or enterprise integrations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The tool silently performs network access and downloads a logo file into the local assets directory during a routine metadata resolution path. In this skill context, hidden network/file-write side effects increase risk because document-generation helpers are expected to be local and predictable, making covert data sourcing harder for users to detect or control.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script reads Odoo credentials from local files owned by another toolchain without clear runtime disclosure or consent. Even if the credentials are only used for intended ERP access, silently reusing them in a document helper broadens credential exposure and can surprise users or operators reviewing the skill's behavior.

Missing User Warnings

High
Confidence
98% confidence
Finding
The deployment guide instructs operators to validate the system using a default `admin/admin` account and does not warn that this credential must be changed, disabled, or made temporary. In a real deployment template, publishing or normalizing default administrative credentials can lead to immediate account compromise if the account exists in production or is left enabled after testing.

Ssd 3

Medium
Confidence
96% confidence
Finding
The persistence rule directs the agent to store conversation-derived information after every chat in long-lived markdown memory files. That creates a natural-language data retention risk: sensitive contract, HR, legal, or operational details may be unnecessarily copied into additional files, increasing disclosure risk and making later prompt-driven leakage easier.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal