Xlsx Pro
WarnAudited by ClawScan on May 10, 2026.
Overview
Xlsx Pro’s spreadsheet features are coherent, but its formula recalculation helper makes persistent LibreOffice profile changes and can load native code from a global temp path, so it should be reviewed before use.
Use this skill only if you are comfortable running local LibreOffice/Python tooling. Before using formula recalculation, consider running it in an isolated environment, back up your LibreOffice profile, and watch for fixes that avoid loading shared libraries from /tmp and avoid persistent global macro writes.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Dependency versions may vary by environment, which can affect reliability or supply-chain review.
The skill asks users to install unpinned Python packages and LibreOffice packages even though there is no install spec. This is purpose-aligned for Excel processing, but users should know dependencies are not pinned or managed declaratively.
pip install openpyxl pandas xlrd xlwt ... sudo apt-get install libreoffice-calc libreoffice-common
Use a pinned requirements file or lockfile and a clear install spec; install packages only from trusted package repositories.
On affected systems, a local attacker or stale temp file could cause LibreOffice to load unintended native code under the user’s account.
When the socket shim is needed, the helper trusts a predictable shared-library path in the global temp directory and sets LD_PRELOAD for LibreOffice. A pre-existing or replaced file at that path could be loaded as native code.
_SHIM_SO = Path(tempfile.gettempdir()) / "lo_socket_shim.so" ... if _SHIM_SO.exists(): return _SHIM_SO ... env["LD_PRELOAD"] = str(shim)
Store generated native helpers in a private, permission-restricted directory; verify ownership and integrity before loading; avoid trusting pre-existing files in /tmp; make LD_PRELOAD behavior explicit and opt-in.
Using the recalc workflow may permanently alter the user’s LibreOffice macro setup and could replace an existing macro file.
The recalculation script automatically writes a LibreOffice Basic macro into the user’s persistent LibreOffice profile. If Module1.xba already exists but lacks the expected marker, it can be overwritten.
MACRO_DIR_LINUX = "~/.config/libreoffice/4/user/basic/Standard" ... MACRO_FILENAME = "Module1.xba" ... Path(macro_file).write_text(RECALCULATE_MACRO)
Use an isolated temporary LibreOffice profile for recalculation, or ask for explicit approval, back up/merge existing macros, and provide cleanup instructions.