ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Libreoffice Cli

v1.0.0

Comprehensive document conversion, creation and editing via LibreOffice CLI (Headless-Modus). Use for: PDF export, format conversion (doc↔odt↔pdf, xls↔ods↔xl...

0· 71·1 current·1 all-time
byWaltraud by joerg - Human-AI Collaboration@joergbot-cloud
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and included scripts (convert, batch, extract, pdf, merge, health checks) match: the bundle implements LibreOffice headless CLI workflows and documentation aligns with that purpose. The package.json lists libreoffice as a prerequisite which is appropriate. Minor metadata inconsistency: registry lists source/homepage as unknown/none while package.json contains repo/homepage fields.
!
Instruction Scope
SKILL.md instructs the agent to run the included shell scripts and examples are limited to local conversions and integrations. However the scripts build and execute commands via eval and string concatenation (e.g., constructing find and libreoffice command strings and calling eval), which can be unsafe when processing untrusted filenames or arguments and may allow shell injection. Scripts create temporary files in /tmp and call external programs (parallel, jq, gog in examples) — examples reference network integrations but those are not executed automatically. No instructions request unrelated secrets or system-wide config.
Install Mechanism
No install spec is provided (instruction-only publish with bundled scripts), so nothing will be downloaded/installed by the platform. This is lower risk. package.json lists libreoffice dependency (informational) but there is no automatic installer; user must install LibreOffice separately.
Credentials
The skill does not request credentials or require environment variables. README documents optional env vars (LIBREOFFICE_PATH, LIBREOFFICE_PROFILE_DIR, LIBREOFFICE_MEMORY_LIMIT) which are reasonable for configuring local LibreOffice usage. No unrelated secrets or config paths are required.
Persistence & Privilege
always is false and the skill does not request persistent elevated privileges. Scripts operate on local files and /tmp profile dirs but do not modify other skills or agent configuration. There is no autonomous-install behavior in the files provided.
What to consider before installing
This skill appears to do what it says (LibreOffice headless wrappers) and contains useful scripts and documentation. However: 1) Inspect the scripts before use — they construct shell commands and call eval, which can be exploited if file names or inputs are attacker-controlled; avoid running them on untrusted directories. 2) Run the skill in a sandboxed environment (container or unprivileged user) and set LIBREOFFICE_PROFILE_DIR to an isolated temp directory. 3) If you plan to process files from external sources, sanitize filenames or modify the scripts to avoid eval/concatenation (use arrays and pass arguments safely). 4) The README shows example integrations that call external tools (gog, drive, network uploads) — those are examples only, but confirm you want any downstream upload actions. If you are not comfortable auditing shellcode, run conversions on a disposable VM/container.

Like a lobster shell, security has layers — review code before you run it.

latestvk970h700c06pqvqc4nya95497n83ttjk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments