ClawHub

Xlsx Cn

Security checks across malware telemetry and agentic risk

Overview

This Excel skill is mostly purpose-aligned, but its recalculation helper can persistently change LibreOffice settings and load a compiled native shim, so it should be reviewed before installation.

Install only if you are comfortable with a spreadsheet helper that runs LibreOffice, modifies local Excel files during recalculation, writes a persistent LibreOffice macro into your user profile, and may compile/load a native compatibility shim. Prefer running it in a disposable or isolated environment and work on copies of important spreadsheets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
src = Path(tempfile.gettempdir()) / "lo_socket_shim.c"
    src.write_text(_SHIM_SOURCE)
    subprocess.run(
        ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"],
        check=True,
        capture_output=True,
Confidence
97% confidence
Finding
subprocess.run( ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"], check=True, capture_output=True, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to read and write files, inspect environment assumptions, and execute shell commands (`python scripts/recalc.py`) while declaring no permissions. This creates a trust and containment gap: a caller or policy engine may believe the skill is low-privilege when it actually requires code execution and filesystem access, increasing the risk of unauthorized file access or command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The advertised scope is Excel processing, but the behavior apparently includes broader Office-package handling, DOCX/PPTX validation, Word tracked-change processing, ZIP package manipulation, and LibreOffice subprocess/environment shimming. This mismatch is dangerous because users and policy systems may authorize the skill for a narrow spreadsheet task while it can touch other document types and invoke more powerful processing paths than expected.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Dynamically generating and compiling an LD_PRELOAD shared library gives the skill the ability to execute arbitrary native code on the host. In the context of an Excel-processing skill, this is an unjustified privilege escalation of capability and significantly increases the risk of sandbox bypass, persistence, or host compromise if the mechanism is altered or abused.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Setting LD_PRELOAD to inject a custom shared library causes all dynamically linked code in the child process to load attacker-controlled interposed functions before libc. This can alter runtime behavior in hard-to-audit ways and is especially dangerous because it is hidden behind a helper for ordinary office document conversion.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The file is part of an XLSX-focused skill, but its documented purpose and implementation explicitly support DOCX and PPTX as well. This creates a capability/scope mismatch: consumers, policy layers, or reviewers may trust the skill as Excel-only while it can process other Office document types, increasing attack surface and enabling unintended document manipulation paths.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The runtime behavior goes beyond the manifest's Excel-only scope by unpacking any .docx, .pptx, or .xlsx archive and applying transformations to extracted XML, including DOCX-specific redline and run merging. In an agent setting, this hidden expansion of capability is dangerous because policy enforcement and user trust may be based on the declared Excel-only purpose, allowing non-Excel documents to be accessed or modified unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script writes a persistent LibreOffice macro into the user's application profile, which modifies global state outside the target workbook and survives beyond a single operation. That creates an unnecessary persistence mechanism and expands the blast radius of the skill from file processing into long-lived office-environment modification.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill alters external LibreOffice user configuration rather than limiting itself to the workbook supplied by the user. In the context of an Excel-processing skill, changing application profile contents is overbroad behavior and increases risk because it affects future LibreOffice sessions and other documents.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The helper silently compiles and deploys a shared library at runtime without disclosure or user consent. Even if intended as a compatibility workaround, undisclosed native code generation and execution is risky behavior that undermines transparency and makes security review and containment more difficult.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code both installs a macro and later causes the workbook to be saved, yet the script interface does not clearly warn that it will modify files and application state. Silent persistent changes are risky because users may expect analysis-only behavior from a recalculation utility.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The embedded macro performs ThisComponent.store(), which saves the target workbook in place without a clear warning or opt-in from the caller. In-place modification is especially risky for user documents because recalculation can change cached values, formulas, links, or file metadata and may destroy forensic or business-critical state.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal