ClawHub

docx

Security checks across malware telemetry and agentic risk

Overview

This is a mostly coherent Word document skill, but it needs review because it silently builds and injects native code into LibreOffice from a temporary directory.

Install only if you are comfortable giving the skill authority to run LibreOffice and document-conversion tools, modify DOCX contents, and compile/load a native LibreOffice compatibility shim. Use it on copies of important documents, avoid untrusted Office files where possible, and review tracked-change author metadata and outputs before sharing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
src = Path(tempfile.gettempdir()) / "lo_socket_shim.c"
    src.write_text(_SHIM_SOURCE)
    subprocess.run(
        ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"],
        check=True,
        capture_output=True,
Confidence
93% confidence
Finding
subprocess.run( ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"], check=True, capture_output=True, )

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest says not to use the skill for PDFs, but the workflow explicitly converts DOCX to PDF and rasterizes pages to images. This inconsistency can bypass routing expectations and lead the agent to perform document transformations outside the advertised scope, which may surprise users and increase data handling exposure.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
This helper creates and injects a custom shared library into another process using LD_PRELOAD, which is a powerful OS-level code injection mechanism. That goes well beyond normal document conversion behavior and means compromise of the shim path or build step can lead to arbitrary native-code execution inside the spawned LibreOffice process.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation presents the module as a compatibility helper, but the embedded shim contains a forced _exit(0) on listener close, which can abruptly terminate the target process without cleanup. Hidden process-termination behavior is dangerous because it can cause data loss, inconsistent state, or difficult-to-diagnose failures in calling workflows.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad enough to capture generic requests like reports, memos, letters, or templates, even when the user did not ask for DOCX output. Over-broad invocation can route unrelated tasks into a high-capability skill that reads/writes files and runs external tools, increasing unnecessary exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill supports editing existing files and accepting tracked changes, which are destructive or semi-destructive operations, but the description does not clearly warn about this. Users or orchestrators may invoke it expecting non-invasive analysis, resulting in silent modification of important documents.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
Forcing the author name to 'Claude' without user opt-in causes unauthorized attribution changes in tracked changes and comments. This can create audit-integrity issues in legal, HR, or compliance-sensitive documents where authorship metadata matters.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The helper silently writes native source code and a shared object into the temporary directory and compiles them without any explicit user-facing disclosure or trust boundary checks. In addition to transparency concerns, this creates operational and security risk because temp locations are shared attack surfaces and native build steps are far more sensitive than ordinary document handling.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function extracts arbitrary archive contents into a user-specified directory with extractall() and then rewrites discovered XML-related files in place, without checking whether existing files will be overwritten or whether archive member paths escape the destination. In an agent setting that processes untrusted Office files, this can lead to unintended filesystem modification and potentially path traversal overwrite if a crafted archive contains malicious entry names.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The repair_whitespace_preservation method writes modified XML back to disk automatically whenever it detects leading or trailing whitespace in text nodes, but there is no explicit consent, dry-run mode, or clear audit trail beyond console output. In a document-manipulation skill, silent mutation of unpacked OOXML contents can alter user documents unexpectedly, create integrity issues, and make it harder to distinguish validator behavior from user-authored changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal