ClawHub
Back to skill

Security audit

ZM PPTX 检查与审核工具

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a PowerPoint review/editing helper, but it includes an under-disclosed native LibreOffice workaround that compiles and preloads code from a shared temp location.

Install only if you are comfortable with a PowerPoint tool that can run local commands, modify unpacked Office files, and in some sandboxed environments compile and preload a native LibreOffice shim. Prefer using it in an isolated workspace or container, and be cautious with untrusted Office files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
src = Path(tempfile.gettempdir()) / "lo_socket_shim.c"
    src.write_text(_SHIM_SOURCE)
    subprocess.run(
        ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"],
        check=True,
        capture_output=True,
Confidence
96% confidence
Finding
subprocess.run( ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"], check=True, capture_output=True, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises and instructs use of shell commands, file read/write operations, and environment-dependent tooling, but does not declare permissions. This creates a trust and containment problem: a caller or platform may treat the skill as low-privilege while it actually requires broad local execution and filesystem access, increasing the chance of unintended command execution or data exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented scope says the skill is for PPTX inspection/review, but the behavior described extends into DOCX/XLSX processing, archive unpack/pack, document mutation, and execution of external tools like LibreOffice, pdftoppm, and even gcc. This mismatch is dangerous because users and orchestrators may grant trust appropriate for a narrow review tool while the skill can transform other document types and invoke broader local tooling, materially expanding the attack surface.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Setting LD_PRELOAD to inject a custom shared library into LibreOffice is execution-manipulation behavior that changes the target process at load time. For a PPTX inspection/review tool, this is far more powerful than necessary and increases the risk of arbitrary code execution, hard-to-audit behavior, and stealthy persistence of modified runtime semantics.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Compiling native code at runtime via gcc is outside the normal scope of PPTX parsing or review and introduces a new dependency capable of producing executable payloads. This widens attack surface, complicates auditing, and becomes especially dangerous because the compiled output is immediately injected into another process.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The shim intercepts close() and can call _exit(0), forcibly terminating the LibreOffice process based on shim state rather than normal application control flow. This kind of hidden process-control behavior is difficult to reason about, may cause data loss or inconsistent cleanup, and is not clearly justified by the tool's stated review functionality.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This code rewrites unpacked XML files via pretty-printing and smart-quote escaping, and for DOCX also performs semantic modifications such as merging runs and simplifying tracked changes. In an inspection/review skill, modifying evidence during analysis is dangerous because it can alter document content, metadata, or review artifacts, undermining integrity and potentially hiding or changing information that should only be inspected.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The module contains in-place repair behavior that rewrites document XML and assigns new random durableId values, even though the skill is described as an inspection/review tool. In a review pipeline, mutation of user-supplied office documents can break evidence integrity, create non-deterministic outputs, and potentially cause downstream trust or workflow issues when users expect read-only validation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Writing source and shared-object files into the system temp directory without disclosure or hardening is unsafe because temp paths are shared, predictable, and prone to tampering or race conditions. The resulting artifacts are then used for compilation and preload injection, magnifying the impact of any file replacement or symlink attack.

VirusTotal

42/42 vendors flagged this skill as clean.

View on VirusTotal