ClawHub

TDOC Docx

Security checks across malware telemetry and agentic risk

Overview

This Word document skill is mostly legitimate, but it asks for broad document, network, system-package, and code-execution authority that should be reviewed before installation.

Install only if you are comfortable with a Word skill that can process local documents, run LibreOffice and other host tools, install system dependencies, fetch files from URLs or SFTP, and execute generated Python for templates. Use it in a sandbox or disposable workspace, avoid remote inputs unless trusted, review generated scripts before execution, and verify documents after accepting tracked changes. Static scan was clean and VirusTotal was pending; the Review verdict is based on artifact-backed scope and control concerns, not malware evidence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (21)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
src = Path(tempfile.gettempdir()) / "lo_socket_shim.c"
    src.write_text(_SHIM_SOURCE)
    subprocess.run(
        ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"],
        check=True,
        capture_output=True,
Confidence
92% confidence
Finding
subprocess.run( ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"], check=True, capture_output=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            import tempfile
            with tempfile.TemporaryDirectory() as tmpdir:
                subprocess.run(
                    ['soffice', '--headless', '--convert-to', 'docx',
                     '--outdir', tmpdir, str(self.file_path)],
                    capture_output=True, timeout=60, check=True
Confidence
82% confidence
Finding
subprocess.run( ['soffice', '--headless', '--convert-to', 'docx', '--outdir', tmpdir, str(self.file_path)], capture_output=

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file acquisition section permits downloading from arbitrary URLs and SFTP endpoints, which introduces network I/O and remote content ingestion unrelated to basic local Word processing. This can enable SSRF-like access patterns, untrusted document retrieval, credential exposure through SFTP usage, or exfiltration workflows if combined with local file handling.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill advertises remote file download capability without clear user-facing notice that data may leave the local environment or be fetched from external systems. In document workflows, this is especially risky because users may provide sensitive filenames or paths, assuming purely local processing, while the skill can initiate network transfers.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
If LibreOffice times out, the code still reports success even though accepting tracked changes may not have completed. This creates integrity and workflow-security problems because downstream users or automation may trust that sensitive revisions/comments were removed when they were not.

Context-Inappropriate Capability

Medium
Confidence
79% confidence
Finding
The skill invokes external host binaries, LibreOffice and pdftoppm, to process user-supplied documents. In a skill context, this materially increases risk because malformed office files may trigger vulnerabilities in those native tools, and the manifest does not make this host-execution behavior explicit.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script supports fetching arbitrary content from public URLs and SFTP endpoints, which expands the skill from document processing into unrestricted network/file acquisition. In an agent context, this can enable SSRF-style access to internal resources, unvetted data ingress, and retrieval of attacker-controlled files that may later be parsed by document tooling.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Network-based acquisition is not clearly justified by the stated Word-processing capability, so it materially broadens the attack surface beyond the manifest. This matters because remote fetching allows attacker influence over both network destinations and file contents, increasing risk when those files are subsequently handled by converters or parsers.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Dynamically setting `LD_PRELOAD` to inject a custom shared library into LibreOffice changes process behavior at the loader level, which is a highly privileged and security-sensitive mechanism unrelated to normal document handling. In the context of a document-processing skill, this makes the component materially more dangerous because any compromise or tampering of the shim yields arbitrary code execution inside the spawned process.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Invoking a system compiler to build native code during normal operation is dangerous because it turns the application into a build-and-execute pipeline for low-level code. In this skill context, that capability is unusual and unnecessary for ordinary Word processing, increasing the risk of tampering, unexpected toolchain execution, and harder-to-audit runtime behavior.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script's reader role includes launching external parsers/converters for legacy .doc files, which increases risk beyond simple file reading. Because the input document is attacker-controlled, the skill may expose the host to vulnerabilities in antiword or LibreOffice, especially in automated agent workflows that process files without human review.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill explicitly requires using web_search to gather external information, which expands a Word document processing skill into internet research without clear need or user consent. This increases the attack surface by enabling unbounded retrieval of untrusted external content and exceeds the declared capability scope, making misuse and data contamination more likely.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Mandating web_search in a document-processing workflow is context-inappropriate because the task should operate on supplied document inputs rather than fetch arbitrary outside material. In this context, the mismatch makes the behavior more dangerous, since users invoking a Word skill would not reasonably expect internet access or externally sourced content to be injected into generated documents.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to execute generated Python files directly in the environment, which introduces general code-execution behavior beyond normal document formatting. Because the generated code is based on template logic and potentially externally gathered content, this creates a path to unsafe execution, environment abuse, or unintended file/system actions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are extremely broad and include everyday terms like 'Word', '文档', '报告', and '总结', making accidental invocation likely. Because the skill includes shell, file, and remote-fetch-related behaviors, overbroad routing increases the chance that sensitive or unrelated user requests are handled by a more privileged tool than necessary.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The automatic invocation rules cover a very broad range of common document tasks and are phrased as mandatory auto-use. In context, this is more dangerous because the skill does more than simple text handling—it can edit files, run shell-based converters, and fetch inputs—so ambiguous routing expands exposure to privileged actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation includes URL and SFTP fetching but provides no warning that the skill may perform external network access or data transfer. Hidden network behavior in a document-processing skill undermines user expectations and can lead to accidental transmission of sensitive document locations, credentials, or retrieved content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The installer performs privileged system package installation via apt/yum/brew without an explicit consent prompt immediately before modifying the host. While common for convenience installers, this is still security-relevant because running the script can unexpectedly change system state and invoke sudo, increasing risk if the package list or script is later tampered with.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The script installs Python dependencies from requirements.txt without a prominent user-facing notice that it will download packages from the network and modify either a virtualenv or the global Python environment. This is lower severity than direct root package installation, but it still expands the attack surface because dependency installation executes packaging logic and changes the local environment.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The module writes both C source and a shared object to predictable filenames in the global temp directory, creating a classic opportunity for race conditions, symlink attacks, and cross-process tampering in shared environments. Because the resulting `.so` is later loaded via `LD_PRELOAD`, any successful overwrite or pre-placement can escalate directly to arbitrary code execution in the LibreOffice process.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Requiring direct execution of generated Python without user confirmation bypasses an important safety checkpoint for potentially dangerous actions. In an agent setting, automatic execution turns prompt-controlled text generation into action-taking code, raising the risk of arbitrary behavior, destructive file changes, or exploitation via crafted inputs/templates.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal