ClawHub

Docx

Security checks across malware telemetry and agentic risk

Overview

This DOCX skill mostly matches its document-editing purpose, but it uses automatic native-code injection into LibreOffice and broader Office-file tooling that users should review before installing.

Install only if you are comfortable with a document skill that runs external office tools and can invoke gcc plus LD_PRELOAD for LibreOffice in some environments. Use it on copies of documents in a controlled workspace, avoid untrusted Office files, and review the LibreOffice shim behavior before using conversion or tracked-change acceptance features.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
src = Path(tempfile.gettempdir()) / "lo_socket_shim.c"
    src.write_text(_SHIM_SOURCE)
    subprocess.run(
        ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"],
        check=True,
        capture_output=True,
Confidence
95% confidence
Finding
subprocess.run( ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"], check=True, capture_output=True, )

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
If LibreOffice times out, the function returns a success message even though accepting tracked changes may not have completed. In a document-processing workflow, this can cause downstream consumers to trust a file as sanitized or finalized when tracked changes may still be present, creating integrity and review-bypass risks.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Setting LD_PRELOAD to inject a custom shared library into LibreOffice changes the runtime behavior of a complex external application at the process-loader level. That is dangerous because LD_PRELOAD grants arbitrary code execution inside the target process and can subvert normal security assumptions, especially when used automatically on untrusted document inputs.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Invoking a system compiler at runtime to build native code substantially expands the attack surface and operational risk of the skill. In the context of a document-processing helper, compiling arbitrary native code on the fly is far outside the minimum needed capability and can be abused or tampered with in shared environments.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script explicitly supports .pptx and .xlsx archives even though the skill is described as Word-document-only. That scope mismatch expands the attack surface and grants broader file-manipulation capability than users and reviewers would expect, which is dangerous in an agent skill because it can be invoked for non-DOCX Office content outside the declared trust boundary.

Description-Behavior Mismatch

Low
Confidence
95% confidence
Finding
The code extracts a user-supplied ZIP-based Office file into an arbitrary output directory using extractall without validating archive member paths or constraining the destination. This can enable path traversal via crafted archive entries or unsafe writes into sensitive locations, and the low-level unpacking behavior exceeds the narrowly declared DOCX editing functionality, making it more dangerous in this skill context.

Context-Inappropriate Capability

Medium
Confidence
72% confidence
Finding
The validator launches an external git binary solely to generate a human-readable diff for DOCX validation errors, which is not necessary for the skill's core purpose and expands the attack surface. In agent or multi-tenant environments, dependence on PATH-resolved external tools can enable execution of an unintended binary or environment-manipulated helper, and it also weakens sandboxing assumptions for a document-processing component.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger guidance includes broad terms like report, memo, letter, and template, which can cause the skill to activate in routine contexts not specifically requiring DOCX handling. Over-broad invocation increases the chance that powerful file and shell behaviors are used unnecessarily or inappropriately.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The helper silently writes transient C source code to disk and removes it without any visibility to the caller. In a user-facing skill, undisclosed generation of native source artifacts is risky because it conceals security-sensitive behavior and complicates auditing and incident response.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Applying LD_PRELOAD without explicit warning conceals a highly security-sensitive change to process execution. In a document-processing skill, silently altering loader behavior makes the helper more dangerous because operators may believe they are only converting .docx files while native interception is actually occurring.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
When --auto-repair is enabled, the tool modifies document contents in place without an explicit destructive-action warning, confirmation step, or automatic backup. In a document-processing skill context, this can lead to silent integrity loss, accidental alteration of user files, and hard-to-detect changes to tracked content or formatting.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The repair path rewrites XML files in place after detecting whitespace-preservation issues, and exceptions are silently suppressed. In a document-manipulation skill, implicit mutation without explicit opt-in can corrupt user data, destroy forensic evidence of the original document state, or cause unintended changes to untrusted files while giving the caller no indication that modification occurred.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal