Xlsx Pro
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: xlsx-pro Version: 1.0.1 This skill is classified as suspicious due to its use of high-risk system-level capabilities, specifically the runtime compilation of C code using `gcc` and the subsequent use of `LD_PRELOAD` to inject a custom shared library (`lo_socket_shim.so`) into processes. These actions, found in `scripts/office/soffice.py`, are intended to enable LibreOffice to function in sandboxed environments by shimming AF_UNIX socket calls. While the stated purpose is functional and there is no clear evidence of malicious intent, these techniques are powerful and could be exploited if the skill's environment or the hardcoded C source were compromised, representing a significant attack surface.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Dependency versions may vary by environment, which can affect reliability or supply-chain review.
The skill asks users to install unpinned Python packages and LibreOffice packages even though there is no install spec. This is purpose-aligned for Excel processing, but users should know dependencies are not pinned or managed declaratively.
pip install openpyxl pandas xlrd xlwt ... sudo apt-get install libreoffice-calc libreoffice-common
Use a pinned requirements file or lockfile and a clear install spec; install packages only from trusted package repositories.
On affected systems, a local attacker or stale temp file could cause LibreOffice to load unintended native code under the user’s account.
When the socket shim is needed, the helper trusts a predictable shared-library path in the global temp directory and sets LD_PRELOAD for LibreOffice. A pre-existing or replaced file at that path could be loaded as native code.
_SHIM_SO = Path(tempfile.gettempdir()) / "lo_socket_shim.so" ... if _SHIM_SO.exists(): return _SHIM_SO ... env["LD_PRELOAD"] = str(shim)
Store generated native helpers in a private, permission-restricted directory; verify ownership and integrity before loading; avoid trusting pre-existing files in /tmp; make LD_PRELOAD behavior explicit and opt-in.
Using the recalc workflow may permanently alter the user’s LibreOffice macro setup and could replace an existing macro file.
The recalculation script automatically writes a LibreOffice Basic macro into the user’s persistent LibreOffice profile. If Module1.xba already exists but lacks the expected marker, it can be overwritten.
MACRO_DIR_LINUX = "~/.config/libreoffice/4/user/basic/Standard" ... MACRO_FILENAME = "Module1.xba" ... Path(macro_file).write_text(RECALCULATE_MACRO)
Use an isolated temporary LibreOffice profile for recalculation, or ask for explicit approval, back up/merge existing macros, and provide cleanup instructions.