ClawHub

xlsx

Security checks across malware telemetry and agentic risk

Overview

This spreadsheet skill needs Review because it includes under-disclosed native LibreOffice shimming, persistent LibreOffice macro changes, and off-scope Word/PowerPoint document handling.

Install only if you are comfortable with a spreadsheet skill that can run LibreOffice, compile and preload native helper code, and modify the local LibreOffice profile. Prefer running it in a disposable or sandboxed environment, keep backups of workbooks, and avoid using it on untrusted Office documents until the off-scope DOCX/PPTX behavior and macro/shim persistence are removed or clearly controlled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
src = Path(tempfile.gettempdir()) / "lo_socket_shim.c"
    src.write_text(_SHIM_SOURCE)
    subprocess.run(
        ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"],
        check=True,
        capture_output=True,
Confidence
95% confidence
Finding
subprocess.run( ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"], check=True, capture_output=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# On Windows, rely on subprocess timeout parameter instead of external tool

    try:
        result = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
82% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, env=get_soffice_env(), timeout=timeout if system == "Windows" else Non

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This helper operates on DOCX WordprocessingML (`word/document.xml`) even though the declared skill is for spreadsheet files (`.xlsx`, `.xlsm`, `.csv`, `.tsv`). That capability mismatch is dangerous because it expands the skill's effective scope beyond user expectations and can enable unauthorized modification of Word documents inside an ostensibly spreadsheet-only skill. The mismatch makes accidental or covert cross-file tampering more plausible in agent workflows that route files based on skill metadata.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code provides Word document editing behavior that is not justified by the spreadsheet-only manifest, specifically rewriting runs in `document.xml`. In a security context, hidden document-editing capabilities inside a mismatched skill increase the chance of policy bypass, unintended data modification, or abuse by an agent that is granted this skill under narrower assumptions. The skill context makes this more dangerous because reviewers and orchestrators may trust the manifest and permit broader file access than intended.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Compiling native code at runtime and loading it via LD_PRELOAD is far beyond normal spreadsheet-processing behavior and materially increases the attack surface. In a spreadsheet skill, this is especially concerning because it silently introduces arbitrary native code execution behavior in support tooling rather than a narrowly scoped data-processing operation.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file materially exceeds the declared spreadsheet-only scope of the xlsx skill by accepting and processing DOCX and PPTX files in addition to XLSX. In an agent setting, this kind of scope expansion is dangerous because it can cause the skill to activate on non-spreadsheet Office documents and perform unintended extraction and transformation of user content outside its authorized domain.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The DOCX-only logic rewrites document content by simplifying redlines and merging runs, which is unrelated to spreadsheet handling and can alter document semantics, revision history, or forensic value. In the xlsx skill context, these hidden content transformations make the mismatch more dangerous because a spreadsheet-focused skill should not contain latent capabilities to modify word-processing documents.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file header and examples advertise a general Office unpacker, directly conflicting with the skill metadata that says this skill is for spreadsheet files and should not trigger for other deliverables. This documentation mismatch increases the chance of unsafe or unauthorized use by operators or routing logic, enabling non-spreadsheet document handling under a misleading skill identity.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file implements Word redlining validation, which is unrelated to the declared spreadsheet-focused `xlsx` skill. This kind of capability drift is dangerous because it expands the skill's effective behavior beyond its advertised scope, making review, policy enforcement, and user trust assumptions less reliable; hidden off-scope document-processing code can introduce unexpected attack surface.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
A subprocess-based `git diff` feature is not justified by the spreadsheet skill's stated purpose and adds unnecessary external-execution capability. Even though the current invocation is static, off-scope process execution increases attack surface, complicates sandboxing, and creates opportunities for environment/PATH abuse or policy bypass in a skill that should not need such behavior.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script persistently installs a LibreOffice Basic macro into the user's global LibreOffice profile and then invokes it for document processing. Persisting executable code in the user's office profile creates a lasting trust boundary violation: future LibreOffice sessions may inherit or expose that macro, and the change affects more than the single file being processed.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The instructions encourage creating, editing, and overwriting spreadsheet files but do not require backup creation, confirmation before destructive writes, or preservation of originals. In a file-editing skill, that omission can lead to irreversible user data loss or corruption, especially when automated cleanup or recalculation steps modify workbooks in place.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The helper silently writes source code to a temp directory and compiles it without disclosure, which is unsafe from both transparency and security perspectives. Hidden compilation of native code makes auditing harder and can surprise operators, while the temp-file workflow adds avoidable filesystem risks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code writes a macro file directly into the user's LibreOffice profile without any user-facing warning, confirmation, or cleanup. Silent persistence of executable office automation is dangerous because it changes the local environment in a way users may not expect, complicates auditing, and can create follow-on abuse opportunities if other files or workflows later invoke the macro.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal