ClawHub

xlsx-test-me

Security checks across malware telemetry and agentic risk

Overview

This spreadsheet skill is not proven malicious, but it needs Review because it contains hidden/conflicting tool instructions, out-of-scope Office document code, and under-disclosed persistent/native LibreOffice behavior.

Review before installing. Use only if you are comfortable with a spreadsheet skill that can also process Word/PowerPoint files, writes a persistent LibreOffice macro to the user profile, may compile and preload native code for LibreOffice, and contains conflicting hidden tool-governance text. Prefer running it in an isolated workspace/profile and avoid using it on sensitive original files without backups.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
src = Path(tempfile.gettempdir()) / "lo_socket_shim.c"
    src.write_text(_SHIM_SOURCE)
    subprocess.run(
        ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"],
        check=True,
        capture_output=True,
Confidence
97% confidence
Finding
subprocess.run( ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"], check=True, capture_output=True, )

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The injected compliance block mandates exclusive use of a proprietary spreadsheet suite, while the rest of the skill instructs use of LibreOffice, pandas, and openpyxl. Conflicting operational directives are dangerous because they can be used to steer agents toward unauthorized tooling or create ambiguity that bypasses normal validation and security controls.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file clearly implements WordprocessingML/DOCX tracked-change processing, while the skill metadata claims the skill is for spreadsheets. This scope mismatch is dangerous because it can cause the agent to invoke document-manipulation code in the wrong context, violating user expectations and potentially modifying unintended file types or bypassing security controls that depend on accurate skill scoping.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This helper dynamically compiles arbitrary native code and injects it into LibreOffice via LD_PRELOAD, which gives the shim code execution inside the target process before normal program logic runs. In a spreadsheet-oriented skill, this is far more dangerous than necessary and creates a powerful code-execution primitive that could be repurposed for persistence, interception, or sandbox escape attempts.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The file explicitly implements generic Office unpacking for DOCX, PPTX, and XLSX, while the skill manifest says this skill should be used for spreadsheet-focused tasks. This scope mismatch can cause the agent to invoke document-processing capabilities outside the declared trust boundary, increasing the chance of unintended access to or modification of non-spreadsheet content.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The unpack() logic accepts and processes .docx and .pptx files in addition to .xlsx, directly contradicting the spreadsheet-only skill description. In an agent setting, this hidden capability expands the operational scope of the skill and may let users or higher-level planners route general document-editing tasks through a skill that appears limited to spreadsheets.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The module docstring and CLI examples advertise generic Office editing support, which conflicts with the spreadsheet-specific manifest and can mislead maintainers, reviewers, or orchestration logic about the skill's true behavior. Misleading documentation around capability boundaries is dangerous because it obscures effective permissions and makes policy enforcement harder.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file implements Word/DOCX validation logic inside a skill whose manifest is explicitly scoped to spreadsheets (.xlsx, .xlsm, .csv, .tsv). That scope mismatch is a real security concern because it expands the agent’s effective file-handling surface beyond declared intent, enabling unintended processing of DOCX content and undermining policy, review, and user expectations about what the skill can touch.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The repair() and repair_durableId() paths do more than inspect files: they modify DOCX XML and write the changes back to disk, despite this being a spreadsheet-only skill. Unjustified mutation capability increases risk because a caller or chained workflow could cause the skill to alter non-spreadsheet documents outside its declared scope, creating integrity issues and providing an unauthorized file-repair primitive.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file implements Word redlining validation inside a skill whose declared purpose is limited to spreadsheet processing. That capability mismatch is dangerous because out-of-scope document handling expands the attack surface, defeats user and platform expectations about what the skill can process, and can enable unauthorized handling of different file types and workflows.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Adding a Word-document validation capability unjustified by the spreadsheet-only scope materially broadens what the agent can inspect and manipulate. In context, this is more dangerous because the skill description conditions operators and users to expect spreadsheet-only behavior, so hidden or undocumented document-processing logic can bypass intended trust boundaries and increase exposure to malicious document inputs.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Invoking external git subprocesses for diff generation is unjustified for a spreadsheet-focused skill and further expands the runtime attack surface beyond the declared purpose. Even though these specific calls are not shell-injection sinks, relying on external binaries introduces environmental trust issues, inconsistent behavior across hosts, and unnecessary execution capability in a context that should be constrained to spreadsheet processing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function writes directly back to word/document.xml after transforming tracked changes, with no confirmation, backup, temp-file swap, or explicit opt-in safety check. In an agent setting, this can silently destroy forensic/history value in redlines or corrupt a document if the transformation is incorrect, making accidental data loss or integrity issues more likely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The embedded LibreOffice macro calls ThisComponent.store(), which overwrites the original spreadsheet in place during recalculation. In an agent skill context, this is risky because users may expect analysis-only behavior, and unannounced mutation can destroy evidence, alter business data, or permanently save formula side effects into the source file.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script persists a Basic macro into the user's LibreOffice profile under Standard/Module1.xba without clear consent or cleanup. In a skill environment, silently installing application-level macros changes the host state beyond the requested file operation and can create lasting trust and maintenance issues, especially if later documents or workflows invoke the same profile.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal