Back to skill

Security audit

Docx

Security checks across malware telemetry and agentic risk

Overview

This Word document skill is mostly coherent, but it uses under-disclosed native-code and LibreOffice macro mechanisms that deserve review before installation.

Install only if you are comfortable with a document skill that can run LibreOffice, compile and preload a native compatibility shim, and create a local LibreOffice macro profile. Use it on trusted machines, keep originals of important documents, override the author name when document history matters, and treat the conversion and accept-changes helpers as higher-risk local execution features.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
src = Path(tempfile.gettempdir()) / "lo_socket_shim.c"
    src.write_text(_SHIM_SOURCE)
    subprocess.run(
        ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"],
        check=True,
        capture_output=True,
Confidence
93% confidence
Finding
subprocess.run( ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"], check=True, capture_output=True, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs use of shell commands, file reads/writes, and environment-dependent tooling, yet no explicit permissions are declared. This creates a capability/permission mismatch that weakens policy enforcement and can let a broadly triggered skill perform more powerful actions than reviewers or runtime policy expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The public description presents a Word-document skill, but the content exposes broader Office-package unpacking/repacking, validation/repair, and references to tooling that can affect other formats and lower-level package internals. This mismatch is dangerous because users, orchestrators, and reviewers may invoke or approve the skill under narrower assumptions than its actual operational scope.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill metadata says this capability should be used for Word documents only, but this module explicitly documents support for DOCX, PPTX, and XLSX. That mismatch expands the effective capability surface beyond what users and orchestrators may expect, which can cause unintended routing, policy bypass, or use of the skill on unsupported file types without proper safeguards.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The code accepts output files ending in .pptx and .xlsx in addition to .docx, directly contradicting the declared scope of the skill. In an agent system, this kind of scope drift is dangerous because downstream trust, approval, and sandboxing decisions may rely on the manifest and not the actual code behavior.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The top-level documentation and usage examples advertise broader Office packaging than the skill description authorizes. This is security-relevant because operators, reviewers, and automated tooling may trust the documented skill boundary when deciding whether the skill is appropriate for a task, creating a capability mismatch that increases misuse risk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Injecting an LD_PRELOAD library into LibreOffice changes the behavior of a large native application before it starts, giving the helper the ability to intercept low-level libc calls. That is far beyond normal DOCX manipulation needs and creates a powerful code-execution and stealth-tampering mechanism if the shim is compromised or behaves unexpectedly.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Runtime invocation of gcc to compile C source is unjustified for a document skill and introduces an unnecessary native build chain into the execution path. This creates opportunities for tampering, dependency abuse, and execution of unreviewed native code, especially since the source and output are placed in a temporary directory.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The embedded shim hooks socket, listen, accept, close, and forces process termination via _exit(0), fundamentally altering process and IPC semantics of LibreOffice. In the context of a DOCX skill, this is an unjustified hidden capability that can mask failures, interfere with auditability, and provide a mechanism for intrusive low-level manipulation.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger text is very broad, including generic requests like reports, memos, letters, templates, and polished documents, which can cause unintended invocation outside strict .docx scenarios. Overbroad invocation increases the chance that a powerful shell/file-manipulating skill runs when a simpler or safer skill should handle the task.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.