Office Pro

Security checks across malware telemetry and agentic risk

Overview

Office Pro does what it claims: it locally generates Word and Excel documents, with ordinary file-output and dependency risks to review.

Install in a virtual environment or other controlled workspace, review generated contracts and spreadsheets before use, avoid giving it highly sensitive personal or business data unless the output location is secure, and use explicit safe output filenames/directories to prevent accidental overwrites.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly documents creating Word and Excel files and allows a caller-supplied output filename, but it does not warn that files will be written to disk or discuss overwrite behavior and safe output locations. In an agent setting, this can lead to unintended file creation or clobbering of existing files if the agent passes sensitive or user-controlled paths.

Unpinned Dependencies

Low

Category: Supply Chain
Content: python-docx>=1.1.2 openpyxl>=3.1.5
Confidence: 92% confidence
Finding: python-docx>=1.1.2

Unpinned Dependencies

Low

Category: Supply Chain
Content: python-docx>=1.1.2 openpyxl>=3.1.5
Confidence: 92% confidence
Finding: openpyxl>=3.1.5

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal