ClawHub

Docx

Security checks across malware telemetry and agentic risk

Overview

This Word-document skill is mostly legitimate, but one helper compiles and injects native code from predictable temporary paths, which warrants review before installation.

Install only if you need local Word-document automation and are comfortable with shell-based Office tooling. Use copies of important documents, review outputs before sharing, override the tracked-change/comment author when provenance matters, and avoid or harden the LibreOffice conversion and accept-changes helpers until the predictable /tmp shim and macro-profile behavior is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
src = Path(tempfile.gettempdir()) / "lo_socket_shim.c"
    src.write_text(_SHIM_SOURCE)
    subprocess.run(
        ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"],
        check=True,
        capture_output=True,
Confidence
96% confidence
Finding
subprocess.run( ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"], check=True, capture_output=True, )

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
If the LibreOffice process times out, the function still returns a success message even though tracked changes may not have been accepted and the output file may be only a copied original. This creates an integrity issue: downstream automation may trust a document as sanitized or finalized when it is not, which is especially risky in a document-processing skill expected to produce polished final outputs.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Compiling and injecting an LD_PRELOAD shim at runtime is a powerful code-execution mechanism far beyond normal document handling. Because the shim is built into and loaded from a shared temporary location, it creates an opportunity for local tampering that can cause arbitrary native code to run whenever soffice is launched.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger description is broad enough to match generic requests like reports, memos, templates, or polished documents, even when DOCX output is not explicitly intended. Overbroad activation increases the chance this high-capability skill is selected unnecessarily, exposing shell/file operations and document-processing pipelines in situations that do not require them.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
Forcing the author name `Claude` for tracked changes and comments alters document metadata and provenance without user opt-in. In legal, compliance, or collaborative workflows, this can misattribute edits, leak use of an AI assistant, or create audit-trail integrity issues.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal