ClawHub

officecli-docx

Security checks across malware telemetry and agentic risk

Overview

This DOCX skill is mostly a document-editing guide, but it tells agents to automatically download and run an unpinned GitHub installer/updater during normal use.

Install only if you trust the OfficeCLI upstream installer and are comfortable approving any installation or upgrade yourself. Prefer installing a pinned, verified officecli version separately, use this skill only for explicit .docx work, and edit copies of important documents before running bulk tracked-change, global replace, remove, or raw XML commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill instructs the agent to download and execute a remote installer and upgrade script before DOCX operations. This introduces arbitrary code execution and supply-chain risk that is not necessary for the stated document-processing purpose, and it expands the skill’s privilege boundary from local file handling to network retrieval and shell execution.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest frames the skill as handling .docx documents, but the instructions add network access, version lookups, and execution of fetched scripts. This mismatch is dangerous because a user invoking a document skill would not reasonably expect it to perform remote code execution or contact external services.

Vague Triggers

High
Confidence
88% confidence
Finding
The trigger text is extremely broad, including generic words like 'document', 'report', 'letter', and 'memo', which can cause the skill to activate in many unrelated contexts. Because this skill also contains risky install/upgrade behavior, over-triggering materially increases exposure to unsafe actions.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill tells the agent to fetch and run a remote install script with no explicit warning, confirmation, provenance verification, or sandboxing. Silent execution of externally hosted scripts is a classic high-risk pattern because compromise of the source or transport results in immediate code execution.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill includes an example command that loads an image directly from a remote URL (`https://example.com/logo.png`) without warning that this triggers network access. In an agent setting, users may expect local document manipulation only; silently fetching remote resources can leak IP/addressing metadata, create unwanted outbound traffic, and import untrusted content into generated documents.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide documents `accept-changes=all` and `reject-changes=all` as routine commands without warning that they irreversibly alter review history and may discard proposed edits or silently finalize unreviewed changes. In a document-editing skill, this can cause destructive modification of legal, business, or compliance-sensitive documents if an agent follows the instructions automatically or without explicit user confirmation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The raw XML section provides direct `raw-set` mutation examples without a strong warning that malformed or overly broad XPath/XML edits can corrupt the DOCX structure, remove content, or create documents that Word cannot open reliably. Because this skill is specifically for modifying Office documents, these instructions increase the chance that an agent escalates to low-level destructive operations on user files without sufficient safeguards.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal