ClawHub

Xlsx Anthropic

Security checks across malware telemetry and agentic risk

Overview

This spreadsheet skill includes high-impact, under-disclosed LibreOffice process changes and extra Word/PowerPoint document tooling outside its stated spreadsheet scope.

Install only in an isolated workspace and avoid sensitive spreadsheets or Office documents until the publisher narrows the skill to spreadsheet formats, removes or clearly gates DOCX/PPTX tooling, avoids persistent LibreOffice profile macros, and replaces the fixed-temp LD_PRELOAD shim with a safer documented mechanism.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (23)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
src = Path(tempfile.gettempdir()) / "lo_socket_shim.c"
    src.write_text(_SHIM_SOURCE)
    subprocess.run(
        ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"],
        check=True,
        capture_output=True,
Confidence
95% confidence
Finding
subprocess.run( ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"], check=True, capture_output=True, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill exposes effective capabilities for environment access, file read/write, and shell execution without explicitly declaring permissions. That reduces transparency and weakens policy enforcement, making it easier for a caller or downstream system to invoke more powerful behavior than the skill contract suggests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is spreadsheet handling, but the implementation surface appears to include DOCX/PPTX processing, archive manipulation, validation tooling for unrelated Office formats, and a LibreOffice helper that injects an LD_PRELOAD shim. This mismatch materially expands the attack surface beyond user and platform expectations, especially because preload-based process manipulation and general Office archive tooling can be abused in ways unrelated to spreadsheet editing.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This helper operates on DOCX WordprocessingML and rewrites a Word document XML part, which is outside the declared spreadsheet-only scope of the xlsx skill. In an agent setting, scope mismatch is dangerous because it can enable unintended file access and modification paths, increasing the chance the skill is invoked on unsupported document types and alters user content unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code provides a document-editing capability for Word files that is not justified by the spreadsheet-focused skill description. Even if not overtly malicious, hidden out-of-scope editing functionality broadens the skill's authority and can lead to unauthorized or surprising modifications to non-spreadsheet files when the agent misroutes or is prompted adversarially.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file explicitly supports packing DOCX and PPTX in addition to XLSX, which exceeds the stated spreadsheet-only scope of the skill. In an agent setting, this capability mismatch can cause the skill to be invoked on broader Office documents than intended, increasing attack surface and enabling unintended document manipulation outside the declared trust boundary.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The validation path includes DOCX- and PPTX-specific validators and auto-repair behavior, confirming the code is designed to process non-spreadsheet Office content despite the skill claiming spreadsheet focus. This is dangerous because hidden cross-format capabilities can bypass operator expectations, route sensitive non-spreadsheet documents through the skill, and apply content-altering repairs to files outside the advertised scope.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Runtime native-code compilation and preload-based interposition are far more dangerous than typical spreadsheet handling and significantly expand the attack surface. In a spreadsheet skill, this is especially concerning because it introduces arbitrary compiler/toolchain execution and dynamic library loading that are unrelated to normal xlsx processing.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The module is implemented as a general Office unpacker for DOCX, PPTX, and XLSX, which exceeds the spreadsheet-only scope declared by the skill manifest. In an agent setting, this scope expansion can cause the skill to be invoked on non-spreadsheet documents, increasing access to unrelated sensitive content and enabling unauthorized document processing beyond user expectations.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The imported helpers perform DOCX-specific transformations such as merging runs and simplifying tracked changes, which are unrelated to spreadsheet handling. This broadens the capability of the skill from tabular-file processing into document-content modification, creating unnecessary risk of accidental or unauthorized edits to non-spreadsheet files.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The unpack function explicitly accepts .docx and .pptx files in addition to .xlsx, directly contradicting the manifest's spreadsheet-focused contract. Because agents may rely on the manifest for routing and trust decisions, this mismatch can lead to unintended processing of presentations and documents, exposing sensitive data or enabling modifications outside the approved capability boundary.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The top-level documentation and CLI usage describe a generic Office-file unpacker, which materially misrepresents the skill's intended spreadsheet-only purpose. Misleading documentation increases the likelihood that operators, orchestrators, or downstream tools will invoke the skill on broader document types, undermining least-privilege assumptions and safe capability routing.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file implements DOCX validation and repair logic even though the declared skill is explicitly spreadsheet-focused. Capability drift like this expands the skill’s effective scope, increases attack surface, and can cause the agent to process or modify Word documents in contexts where users and policy expect spreadsheet-only behavior.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The repair functionality actively rewrites Word document identifiers using random replacement values, which is outside the stated spreadsheet-only purpose and creates unauthorized file-modification capability. In an agent setting, unjustified repair features are risky because they can silently alter unrelated document types, damage document integrity, or be invoked through confused routing.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file implements a PowerPoint XML validator inside a skill whose manifest is explicitly scoped to spreadsheet operations. That scope mismatch can cause the agent to invoke or expose code paths for non-spreadsheet document handling, expanding the attack surface and creating opportunities for unintended file processing, policy bypass, or unsafe handling of adversarial presentation content under the wrong trust assumptions.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file implements Word document redlining validation inside a skill explicitly described as spreadsheet-focused, which is a significant capability mismatch. Such off-scope functionality increases the attack surface, makes review harder, and can be used to smuggle unrelated document-processing behavior into a skill where operators and users would not expect it.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Using subprocess-driven git diff in a spreadsheet skill is unjustified and broadens the trusted computing base with an external executable that is not necessary for the stated capability. Even if not directly injectable here, hidden external-tool execution in an off-scope validator makes the skill more dangerous because it introduces environment-dependent behavior, potential abuse of host tooling, and review evasion opportunities.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script writes a Basic macro into the user's global LibreOffice profile and then executes it via the application macro location. That expands a one-file spreadsheet operation into a persistent environment modification, creating cross-task side effects and a durable execution primitive that can affect future LibreOffice sessions or be abused if the profile is shared or later trusted.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger conditions are broad enough to capture many ordinary references to spreadsheets, paths, or tabular data, which can cause the skill to activate in situations where it is not necessary. Over-triggering is dangerous here because the skill appears to have file and shell-related capabilities, so unnecessary invocation increases exposure of local files and auxiliary tooling.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The function rewrites word/document.xml in place and removes revision/proofing metadata such as rsid and proofErr entries without any explicit confirmation, backup, or user-visible warning. This can silently destroy edit history-related metadata and alter document state, which is especially risky in an agent workflow where users may not realize a helper is performing destructive normalization.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code silently compiles and deploys a preload shim with no transparency, policy gate, or consent, which can violate least surprise and bypass expected execution controls. While not automatically malicious, hidden dynamic code generation/loading is risky and makes abuse or accidental unsafe deployment more likely.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The repair path writes modified XML back to files automatically, with no confirmation, dry-run mode, or explicit opt-in at the write point. In a skill advertised for spreadsheet handling, silent mutation of unpacked Office XML can unexpectedly alter user documents or destroy forensic evidence, especially because exceptions are swallowed and changes are made across all discovered XML files.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code silently writes a macro file into the user's LibreOffice profile and the macro saves the workbook in place with ThisComponent.store(). Those side effects modify both application state and user data without explicit warning or consent, which is risky in an agent skill context where users may expect read-only analysis or non-destructive processing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal