ClawHub

Docx Cn

Security checks across malware telemetry and agentic risk

Overview

This Word-document skill appears purpose-aligned, but it uses under-contained native injection and persistent temporary LibreOffice automation that users should review before installing.

Review before installing. Use this skill only in an isolated workspace, avoid processing untrusted Office files in a shared multi-user environment, clear or protect /tmp/lo_socket_shim.so and /tmp/libreoffice_docx_profile, and prefer a version that uses private per-run temporary directories, exact macro/shim verification, timeout failures, and pinned dependencies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
75% confidence
Finding
The script processes user-supplied DOCX files by launching LibreOffice and installing/executing an application macro in a shared profile under /tmp. This expands the trust boundary to a complex external office suite and macro mechanism, increasing exposure to document-parser exploitation, profile tampering, or cross-request interference in multi-tenant environments.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
On timeout, the function returns a success message even though LibreOffice did not complete normally. This can cause downstream systems to trust an output file as sanitized or fully processed when it may still contain tracked changes or be only partially written, creating integrity and workflow-security failures.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The helper dynamically writes, compiles, and injects a native shared library via LD_PRELOAD into LibreOffice, intercepting low-level libc/socket behavior. That is a powerful code-injection and process-manipulation technique far beyond normal DOCX processing, and in this skill context it materially expands attack surface and makes execution behavior harder to audit and trust.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module documentation frames this as a simple runtime helper, but the implementation silently injects a custom preload library that hooks socket, listen, accept, and close and can terminate the target process with _exit(0). This mismatch reduces transparency and can cause operators or downstream developers to invoke powerful behavior they did not knowingly approve.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code calls zipfile.ZipFile.extractall() on a user-supplied Office document without validating member names. A crafted ZIP can contain path traversal entries such as ../ or absolute paths, causing files to be written outside the intended output directory and potentially overwriting application or user files. In a document-processing skill, this capability is unnecessary and makes handling untrusted documents especially risky.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Trigger phrases like 'Word' and '文档' are extremely broad and likely to collide with routine conversation, which can cause accidental activation. In the context of a skill that can read/write files and invoke shell tools, unintended activation increases the chance of unreviewed document processing or file modification.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
Forcing the author name to 'Claude' without explicit user opt-in alters document metadata and tracked-change provenance. This can misattribute edits, create audit-trail inaccuracies, and in legal or compliance-sensitive workflows may mislead recipients about who made changes.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code writes source and compiled shared-object artifacts into the system temp directory using predictable filenames, then later reuses the .so if it already exists. In a multi-user or attacker-influenced environment, this creates an opportunity for preplacement, replacement, or symlink abuse that could cause arbitrary code to be loaded into the LibreOffice process.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Running LibreOffice under LD_PRELOAD without explicit user-facing disclosure hides the fact that process behavior is being modified by injected native code. In a document-processing skill, that is unusually invasive and makes debugging, incident response, and trust assessment much harder, especially if failures or side effects occur in production.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal