Back to skill

Security audit

Xlsx Pro

Security checks across malware telemetry and agentic risk

Overview

Xlsx Pro is a real spreadsheet utility, but its formula recalculation path makes persistent LibreOffice changes and may load locally compiled native code.

Review before installing. Use it only if you are comfortable with LibreOffice running under your account, a LibreOffice macro being written into your profile, and a native LD_PRELOAD shim potentially being compiled and reused from temp storage. Prefer running it in an isolated container or disposable LibreOffice profile, and avoid using it on untrusted spreadsheets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
src = Path(tempfile.gettempdir()) / "lo_socket_shim.c"
    src.write_text(_SHIM_SOURCE)
    try:
        subprocess.run(
            ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"],
            check=True,
            capture_output=True,
Confidence
94% confidence
Finding
subprocess.run( ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"], check=True, capture_output=True, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation clearly instructs use of Python packages, file I/O, and shell commands such as pip, apt-get, and running a recalculation script, yet it declares no permissions. This creates a capability transparency problem: the agent may read/write files and invoke shell tooling without an explicit permission boundary, increasing the chance of unsafe execution in environments that rely on declared permissions for policy enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is far beyond a simple spreadsheet skill: the described behavior includes installing LibreOffice macros into the user profile, compiling native C code, and using LD_PRELOAD to inject a shared library that intercepts low-level process/socket behavior. Those techniques are highly invasive, persistence-enabling, and unrelated to normal spreadsheet manipulation, making them dangerous because they can subvert host process behavior, evade normal controls, and open a path to arbitrary code execution or covert communications.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This code goes beyond document handling and compiles/loads native system code, materially increasing the attack surface of the skill. In the context of a spreadsheet-manipulation skill, adding arbitrary native compilation and shared-library injection is an unexpected privileged capability that could be abused or become a compromise point.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The top-level helper description presents this as a normal headless soffice runner, but the implementation can also inject an LD_PRELOAD shim that intercepts low-level socket calls and forcibly exits the process. That mismatch reduces transparency and can hide behavior with significant security and reliability implications from reviewers and users.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script writes or overwrites a LibreOffice application macro in the user's global profile, which persists beyond the current file operation and affects the host application environment. That is broader than ordinary spreadsheet recalculation and can unexpectedly alter later LibreOffice behavior or interfere with existing trusted macros.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The code modifies host application state by creating directories and writing into LibreOffice's user configuration area, even though the skill is described as file-focused spreadsheet manipulation. In an agent setting, hidden host-state modification is risky because it creates side effects outside the requested artifact and may persist across runs or users.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Writing and compiling a shared library in temporary storage without clear disclosure is dangerous because it silently introduces executable native artifacts and a preloadable library into the runtime environment. In combination with predictable temp paths, this can enable tampering by other local actors or make forensic review harder.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script silently writes a macro file into the user's LibreOffice profile and then modifies the spreadsheet, without any execution-time warning or explicit consent. In a skill context, undisclosed persistent changes reduce user control and can violate expectations about what a spreadsheet utility should touch.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.