ClawHub

Huo15 Skills

Security checks across malware telemetry and agentic risk

Overview

The advertised Word/PDF document skill package includes multiple unrelated high-impact tools for scraping, cloud uploads, credential use, Docker deployment, and multi-agent execution, so it needs review before installation.

Install only if you want the whole Huo15 multi-skill toolkit, not just a Word/PDF generator. Review or remove the unrelated subdirectories before use, and be especially cautious with Qichacha login cookies, NotebookLM uploads of local files, Odoo/OpenClaw credential access, Docker/SearXNG deployment, and multi-agent exec/process permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (104)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The PDF export feature depends on invoking LibreOffice from the command line, introducing subprocess execution and trust in an external binary. If filenames, paths, or arguments are user-influenced and not safely handled in the implementation, this can enable command injection, unsafe file access, or abuse of local tooling beyond simple document generation.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented as a generic JS-rendered web scraper, but it also embeds a persistent workflow to build and update a local Enterprise WeChat documentation knowledge base. That expands the skill from ad hoc scraping into ongoing data collection/storage behavior, which can cause unreviewed scope creep, policy bypass, and unintended retention of scraped content in local workspace state.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file advertises not only JS page scraping but also enterprise-intelligence retrieval through Qichacha MCP/API integration and direct company lookup. This materially broadens the capability into business intelligence and potentially sensitive third-party data access, increasing the chance of over-collection, unauthorized use, or operator confusion about what the skill is permitted to do.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The documentation instructs users to load an external GitHub-hosted skill unrelated to the local scraper's core function. Referencing and operationalizing an unpinned external repository introduces supply-chain risk, because users may import code or prompts that have not been reviewed, may change over time, and could carry malicious instructions or unsafe capabilities.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file implements Qichacha scraping, QR-code login handling, and cookie capture/storage despite the skill being presented as a Word/PDF document generation tool. That mismatch is a strong indicator of hidden or undeclared functionality, which is dangerous because it can collect authenticated session material and access external business data outside the user’s reasonable expectations.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code launches a browser, visits an external service, drives QR-code login, detects successful authentication, and then reuses the resulting session to scrape company data. In the context of a document-generation skill, these capabilities are unjustified and materially increase risk by enabling credentialed data access and covert collection from a third-party site.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file implements a full remote website scraping CLI using Playwright/scrapling, which materially contradicts the declared skill purpose of Word/PDF document generation. This kind of capability mismatch is dangerous because it can hide undisclosed network collection behavior inside a seemingly unrelated skill, increasing the risk of covert data access, policy bypass, or user deception.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code can fetch arbitrary remote URLs and extract page content even though the skill is described as an office document generator. In this context, unjustified outbound web access is risky because it enables unexpected network activity and content collection that users and reviewers would not reasonably expect from the advertised functionality.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The module header and CLI description explicitly advertise a JavaScript-rendered site scraper, directly conflicting with the manifest's office-document-generation description. Such inconsistencies are a supply-chain red flag because they can conceal undeclared capabilities and make security review or user consent ineffective.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file implements a WeCom documentation scraper and local knowledge-base builder, which materially diverges from the declared office document generation purpose of the skill. Hidden or undeclared capabilities are dangerous in agent skills because they expand the trust boundary, introduce unexpected network and filesystem behavior, and can enable covert data collection or repurposing of the package beyond user expectations.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code launches a browser via Playwright and fetches external content from developer.work.weixin.qq.com, which is not justified by a Word document generation skill. In this context, undeclared browser automation and outbound network access are risky because they can be repurposed for arbitrary scraping, tracking, or staged retrieval of additional content without aligning to the user-facing purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script persists scraped documentation into a structured knowledge base under the user's home directory and generates index files, even though this storage behavior is unrelated to office document creation. This increases risk by creating unexpected local artifacts, consuming disk space, and leaving behind content the user did not knowingly request, which is especially concerning when paired with undeclared scraping behavior.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The module docstring openly describes enterprise WeCom documentation scraping, directly contradicting the advertised office document generation intent. This mismatch is a supply-chain trust issue: it suggests the package contains undeclared functionality, making users and reviewers less able to reason about what the skill will actually do.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script automatically performs remote NotebookLM account checks and triggers `nlm login`, which is unrelated to the declared office-document generation skill. This creates a hidden networked authentication flow and remote account interaction that users would not reasonably expect from a Word/PDF document tool, increasing the risk of unauthorized account use and data exposure.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script accepts arbitrary URLs, YouTube links, and local files and uploads them as sources to a remote NotebookLM notebook, which is far outside the stated purpose of generating Word/PDF documents. In the context of an office-doc skill, this is dangerous because sensitive local documents or user-supplied links may be exfiltrated to a third-party cloud service without clear, purpose-aligned disclosure.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script submits study prompts to NotebookLM and generates audio/video overviews instead of producing office documents as advertised. This mismatch makes the skill more dangerous because users may invoke a document tool while actually causing remote AI processing of their content, with attendant privacy, billing, and data-governance risks.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Automatic re-login to a remote NotebookLM account is not justified by the declared office-document purpose and introduces unnecessary authentication activity. Even if not overtly malicious, silently initiating account reauthentication expands attack surface, surprises users, and may lead to unintended access to cloud resources under the user's identity.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill explicitly documents child-agent permissions that allow "exec" and "process", even though the stated purpose is coordination, task distribution, and result aggregation. Granting execution-capable permissions to spawned subagents materially increases the blast radius of prompt injection, unsafe task delegation, or accidental command execution, especially in a parallel multi-agent system.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The script implements a generic multi-agent coordination system that is unrelated to the declared Word/PDF document-generation purpose of the skill. This capability expands the skill's operational scope, creates a hidden execution/control plane, and could be abused to coordinate arbitrary agent tasks outside user expectations, increasing the risk of unauthorized actions or privilege misuse.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code provides generic task assignment, status tracking, result collection, and coordinator lifecycle management, which amounts to a reusable orchestration framework rather than a narrowly scoped office-document utility. In the context of an office-doc skill, this unjustified capability is dangerous because it can enable indirect execution of arbitrary workflows through spawned workers, making abuse and lateral expansion easier.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The script implements persistent multi-agent/team orchestration, worker lifecycle management, and workspace state mutation under ~/.openclaw/workspace, which is materially unrelated to the declared Word/PDF document-generation purpose. This capability expansion increases attack surface and can enable unauthorized task spawning, state manipulation, or misuse of shared agent workspace resources under a misleading skill identity.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The skill explicitly documents a Word-to-PDF conversion feature backed by LibreOffice and command-line/script invocation, which expands the skill from simple document formatting into external tool execution and filesystem-affecting behavior. Even though the markdown does not itself show the subprocess code, this capability materially increases attack surface because malicious filenames, unsafe argument handling, or unexpected bulk conversion could lead to command execution issues or unintended processing of local files.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The document-generation script reads local OpenClaw/Odoo credential files and uses them to contact an external company system during normal document creation. This is a scope expansion beyond local document formatting and creates an unnecessary pathway for credential use, data disclosure, and unintended outbound access in a skill whose primary purpose is offline document generation.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill performs network access and authenticates to Odoo solely to fetch company name and logo, which is not necessary for generating a Word file. In an agent environment, hidden credential use and outbound connections are risky because they can surprise users, expose secrets to additional code paths, and create dependency on remote systems for a local task.

Context-Inappropriate Capability

Low
Confidence
92% confidence
Finding
When no local logo is available, the script downloads a remote image from the internet during document creation. Even though the fetched content is only branding, this introduces unsolicited outbound traffic, availability dependence on a third party, and a supply-chain risk if the remote asset changes or is replaced.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal