Docx Cn 1.0.1

Security checks across malware telemetry and agentic risk

Overview

This Word document skill is mostly coherent, but it needs Review because it silently builds and preloads native LibreOffice helper code from shared temporary paths.

Install only if you are comfortable with a DOCX helper that can run LibreOffice, create/edit document files, write a LibreOffice macro profile under /tmp, and in some sandboxed environments compile and preload a native shim. Prefer running it in an isolated environment, avoid using it on untrusted documents on shared machines, and consider reviewing or replacing the LD_PRELOAD shim before production use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: src = Path(tempfile.gettempdir()) / "lo_socket_shim.c" src.write_text(_SHIM_SOURCE) subprocess.run( ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"], check=True, capture_output=True,
Confidence: 95% confidence
Finding: subprocess.run( ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"], check=True, capture_output=True, )

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Compiling and injecting a custom native library through LD_PRELOAD is inherently security-sensitive because it alters process behavior before normal program startup and executes arbitrary native code in the target process. In a document-processing skill, this is more dangerous because document converters often process untrusted files, so adding a preload hook increases blast radius and makes compromise harder to reason about.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Broad trigger phrases like 'Word', '文档', and 'docx' can cause the skill to activate during ordinary conversation or unrelated document discussions. Over-triggering increases the chance that powerful file and shell behaviors are engaged unintentionally, expanding the attack surface for prompt/skill confusion.

Natural-Language Policy Violations

Medium

Confidence: 89% confidence
Finding: Forcing the author name 'Claude' for tracked changes and comments without user opt-in can silently falsify document provenance and metadata. In legal, compliance, or collaborative review contexts, incorrect authorship attribution may mislead recipients and create audit-integrity issues.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The helper silently drops source code into temp storage and compiles a preloadable shared object without user disclosure or consent. While lack of notice is not the deepest technical flaw, in this context it obscures a high-risk behavior change—native code generation and injection—that operators may not expect from a document utility.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code unconditionally sets LD_PRELOAD when the shim is deemed necessary, then launches soffice without any runtime disclosure. Injecting a preload library materially changes execution semantics and may bypass operator expectations, complicate debugging, and increase security risk if the shim path is tampered with.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal