ClawHub

Xlsx Pro

Security checks across malware telemetry and agentic risk

Overview

This spreadsheet skill is purpose-aligned, but it uses under-disclosed LibreOffice automation that can persist a macro in the user profile and load native code through LD_PRELOAD.

Install only if you are comfortable with this skill running LibreOffice under your account, modifying your LibreOffice macro profile, and potentially loading a locally compiled native shim. Prefer using it in an isolated container or disposable LibreOffice profile, avoid untrusted spreadsheets, and remove or review the generated LibreOffice macro and temp shim after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
src = Path(tempfile.gettempdir()) / "lo_socket_shim.c"
    src.write_text(_SHIM_SOURCE)
    try:
        subprocess.run(
            ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"],
            check=True,
            capture_output=True,
Confidence
90% confidence
Finding
subprocess.run( ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"], check=True, capture_output=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = ["gtimeout", str(timeout)] + cmd

    try:
        result = subprocess.run(cmd, capture_output=True, text=True, env=get_soffice_env(), timeout=timeout+10)
    except subprocess.TimeoutExpired:
        return {"error": "Timeout lors du recalcul"}
Confidence
84% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, env=get_soffice_env(), timeout=timeout+10)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill compiles and injects a custom `LD_PRELOAD` library that hooks libc/socket behavior and can force process termination via `_exit(0)`. Runtime code injection is highly privileged and far beyond normal spreadsheet handling; if the shim is replaced, reused from a world-writable temp path, or applied to the wrong process, it enables arbitrary native-code execution and hard-to-audit behavior.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Spawning `gcc` to build native code is context-inappropriate for an Excel skill and expands the attack surface substantially. It introduces dependency on a compiler toolchain and creates opportunities for tampering with generated artifacts or abuse in environments where process creation is otherwise restricted.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The helper claims to run LibreOffice headlessly but does not enforce `--headless` and accepts arbitrary caller-supplied arguments. In this skill context, that means the wrapper can be repurposed for broader LibreOffice actions than advertised, weakening assumptions about confinement and enabling unexpected file/network/macros-related behavior depending on LibreOffice capabilities.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script writes an application-level LibreOffice macro into the user's persistent profile directory rather than using an isolated temporary profile. That creates cross-run side effects, weakens least privilege, and can alter future LibreOffice behavior beyond the current workbook operation, which is risky in an agent environment handling arbitrary files.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal