ClawHub

Docx Anthropic

Security checks across malware telemetry and agentic risk

Overview

This Word-document skill is mostly purpose-aligned, but review is warranted because some helpers can compile and load native code from predictable temporary locations.

Install only if you are comfortable with a DOCX helper that runs local document tools and may use a temporary macro profile plus an LD_PRELOAD native shim for LibreOffice compatibility. Prefer a single-user or sandboxed environment, avoid untrusted Office files on shared systems, and review sensitive tracked-change/comment metadata before sharing outputs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
src = Path(tempfile.gettempdir()) / "lo_socket_shim.c"
    src.write_text(_SHIM_SOURCE)
    subprocess.run(
        ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"],
        check=True,
        capture_output=True,
Confidence
95% confidence
Finding
subprocess.run( ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"], check=True, capture_output=True, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes shell commands and performs file reads/writes while declaring no permissions, which creates a capability transparency gap. That mismatch can bypass policy expectations, making it easier for an over-privileged skill to operate on local files or invoke external tooling without reviewers or users realizing the scope.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as DOCX-focused, but the behavior described by analysis extends into generic Office-package manipulation, PPTX/XLSX handling, and LD_PRELOAD-based runtime modification. This is dangerous because reviewers and routing logic may trust the narrow description while the skill actually exposes a much broader and more powerful attack surface than advertised.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Compiling and injecting a native LD_PRELOAD shim is a privileged and security-sensitive capability unrelated to normal Word document manipulation. In the context of a document skill, this is especially dangerous because it silently introduces arbitrary native code into a spawned process, greatly increasing the blast radius of compromise.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script explicitly advertises support for PPTX and XLSX even though the skill metadata scopes the capability to Word documents (.docx). In an agent setting, this scope mismatch can bypass higher-level policy or routing constraints, causing the skill to process files outside its declared trust boundary and increasing the chance of unintended data handling.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The input validation accepts .pptx and .xlsx files despite the skill being described as a DOCX-only Word-document capability. In an agent framework, this creates a real policy-enforcement gap: an attacker or confused user can supply non-DOCX Office archives and have them unpacked and processed under a skill that should never touch them.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger language is broad enough to match many ordinary requests like reports, letters, or templates even when DOCX handling is not actually needed. Overbroad activation can route unrelated tasks into a skill with shell and file-manipulation behavior, increasing the chance of unnecessary exposure to risky tooling and unintended side effects.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
Hard-coding the author name 'Claude' for tracked changes and comments can misattribute edits and create misleading provenance in generated documents. In document-review or legal workflows, false authorship metadata can undermine auditability and trust even if it does not directly enable code execution.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The helper writes C source code into a predictable file in the global temporary directory. Predictable temp-file usage can enable races, symlink attacks, or tampering by other local users/processes, especially when the file is later compiled into a loaded shared library.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Compiling a shared library without any explicit disclosure is risky because it performs a non-obvious, high-impact action that users of a document skill would not expect. The main security issue is not just disclosure, but that the action produces native executable code as part of routine document processing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Injecting LD_PRELOAD into a subprocess causes the dynamic loader to execute attacker-influential native code before normal program logic. In a document-processing context this is unusually dangerous and unexpected, and if the shared object path or contents are tampered with it becomes an immediate code-execution vector.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal