Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
# All dependencies # Word python-docx>=1.1.2 lxml>=5.3.0 # PowerPoint
- Confidence
- 94% confidence
- Finding
- python-docx>=1.1.2
Office Toolkit
Security checks across malware telemetry and agentic risk
Overview
This is a straightforward Office/PDF document toolkit with disclosed file-reading and file-writing behavior, but users should be cautious about its unpinned parser dependencies.
Install this in a virtual environment, use pinned or locked dependency versions where possible, and be careful processing documents from untrusted sources because Office, PDF, XML, and image parsers can have security-sensitive bugs.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (9)
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
# All dependencies # Word python-docx>=1.1.2 lxml>=5.3.0 # PowerPoint python-pptx>=1.0.0
- Confidence
- 94% confidence
- Finding
- lxml>=5.3.0
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
lxml>=5.3.0 # PowerPoint python-pptx>=1.0.0 Pillow>=10.0.0 # Excel
- Confidence
- 93% confidence
- Finding
- python-pptx>=1.0.0
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
# PowerPoint python-pptx>=1.0.0 Pillow>=10.0.0 # Excel openpyxl>=3.1.0
- Confidence
- 95% confidence
- Finding
- Pillow>=10.0.0
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
Pillow>=10.0.0 # Excel openpyxl>=3.1.0 # PDF pymupdf>=1.24.0
- Confidence
- 94% confidence
- Finding
- openpyxl>=3.1.0
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
openpyxl>=3.1.0 # PDF pymupdf>=1.24.0
- Confidence
- 93% confidence
- Finding
- pymupdf>=1.24.0
Known Vulnerable Dependency: lxml — 10 advisory(ies): CVE-2021-43818 (lxml's HTML Cleaner allows crafted and SVG embedded scripts to pass through); CVE-2014-3146 (lxml Cross-site Scripting Via Control Characters); CVE-2021-28957 (lxml vulnerable to Cross-Site Scripting ) +7 more
High
- Category
- Supply Chain
- Confidence
- 76% confidence
- Finding
- lxml
Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more
Critical
- Category
- Supply Chain
- Confidence
- 90% confidence
- Finding
- Pillow
Known Vulnerable Dependency: openpyxl — 2 advisory(ies): CVE-2017-5992 (Improper Restriction of XML External Entity Reference in Openpyxl); CVE-2017-5992 (Openpyxl 2.4.1 resolves external entities by default, which allows remote attack)
High
- Category
- Supply Chain
- Confidence
- 82% confidence
- Finding
- openpyxl
VirusTotal
VirusTotal findings are pending for this skill version.