Trust Assessment
docx received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 25 findings: 8 critical, 10 high, 6 medium, and 0 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, dependency_graph, static_code_analysis. The manifest_analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 1ed29a03). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings25
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-ik3euqja/repo/skills/docx/scripts/accept_changes.py:68 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-ik3euqja/repo/skills/docx/scripts/accept_changes.py:99 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-ik3euqja/repo/skills/docx/scripts/office/soffice.py:14 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-ik3euqja/repo/skills/docx/scripts/office/soffice.py:37 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-ik3euqja/repo/skills/docx/scripts/office/soffice.py:59 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-ik3euqja/repo/skills/docx/scripts/office/validators/redlining.py:138 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-ik3euqja/repo/skills/docx/scripts/office/validators/redlining.py:167 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-ik3euqja/repo/skills/docx/scripts/office/soffice.py:25 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-ik3euqja/repo/skills/docx/scripts/office/soffice.py:25 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-ik3euqja/repo/skills/docx/scripts/office/pack.py:117 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'accept_changes'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-ik3euqja/repo/skills/docx/scripts/accept_changes.py:68 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_setup_libreoffice_macro'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-ik3euqja/repo/skills/docx/scripts/accept_changes.py:99 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_soffice'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-ik3euqja/repo/skills/docx/scripts/office/soffice.py:37 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_ensure_shim'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-ik3euqja/repo/skills/docx/scripts/office/soffice.py:59 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-ik3euqja/repo/skills/docx/scripts/office/validators/redlining.py:138 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-ik3euqja/repo/skills/docx/scripts/office/validators/redlining.py:167 | |
| HIGH | Potential Command Injection via `soffice` Arguments The `scripts/accept_changes.py` and `scripts/office/soffice.py` scripts execute the `soffice` command-line tool using `subprocess.run`. The `output_file` argument to `accept_changes.py` is directly incorporated into the `soffice` command string. While `subprocess.run` with `shell=False` (default) mitigates simple shell injection, `soffice` itself is a complex application that might interpret certain arguments in a way that allows arbitrary command execution or file manipulation if the input path contains specially crafted characters or sequences. An attacker controlling the `output_file` could potentially exploit this to execute arbitrary commands or write to unintended locations. Sanitize or strictly validate all user-controlled input (e.g., `output_file`) before passing it as an argument to external commands like `soffice`. Consider using a more robust argument parsing mechanism for `soffice` if it supports a safer API, or implement strict allow-listing for file paths. | Unknown | scripts/accept_changes.py:50 | |
| HIGH | Privilege Escalation via `LD_PRELOAD` and `gcc` Compilation The `scripts/office/soffice.py` script dynamically compiles and loads a C library (`lo_socket_shim.so`) using `gcc` and then sets the `LD_PRELOAD` environment variable to load this shim when executing `soffice`. This mechanism allows intercepting and modifying system calls (like `socket`, `listen`, `accept`, `close`, `read`). While the C source code for the shim is hardcoded, the ability to compile and load arbitrary code at runtime via `LD_PRELOAD` represents a significant privilege escalation vector. If an attacker could somehow modify the `_SHIM_SOURCE` string or the paths involved, they could inject and execute malicious code with the privileges of the `soffice` process. Avoid dynamic compilation and `LD_PRELOAD` in production environments unless absolutely necessary and with extreme caution. If required, ensure the C source code is immutable, cryptographically signed, and its integrity verified before compilation. Restrict the execution environment to prevent modification of temporary files or `LD_PRELOAD` paths. Consider if the functionality can be achieved with less privileged methods. | Unknown | scripts/office/soffice.py:52 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-ik3euqja/repo/skills/docx/scripts/comment.py:91 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-ik3euqja/repo/skills/docx/scripts/office/validators/pptx.py:207 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-ik3euqja/repo/skills/docx/scripts/office/soffice.py:18 | |
| MEDIUM | Potential Data Exfiltration/Overwrite via Uncontrolled File Paths Several scripts (`unpack.py`, `pack.py`, `accept_changes.py`, `comment.py`) operate on file paths (`input_file`, `output_file`, `output_directory`) that are passed as arguments. If an attacker can control these arguments, they could direct the output of processed documents (which may contain sensitive information) to an attacker-controlled location, or overwrite critical system files. For example, a malicious `output_file` like `/etc/passwd` or `/var/www/html/sensitive_data.txt` could lead to data loss or exposure. Implement strict validation and sanitization for all file paths provided by untrusted input. Use allow-lists for permitted directories and file extensions. Prevent path traversal sequences (e.g., `../`). Ensure that output files are written only to designated, isolated directories. | Unknown | scripts/office/unpack.py:15 | |
| MEDIUM | Zip Slip Vulnerability in `unpack.py` The `scripts/office/unpack.py` script uses `zipfile.extractall(output_path)` to extract the contents of a DOCX file. This function is known to be vulnerable to 'Zip Slip' attacks if not properly mitigated. A malicious DOCX file could contain entries with path traversal sequences (e.g., `../../../../etc/passwd`) in their filenames, causing files to be extracted outside the intended `output_path` directory. This could lead to overwriting critical system files or writing malicious executables to sensitive locations. Before extracting, validate each member's filename within the zip archive to ensure it does not contain path traversal sequences (e.g., `..` or absolute paths). A common mitigation is to resolve the full path of each extracted file and ensure it remains within the designated `output_path`. | Unknown | scripts/office/unpack.py:26 | |
| MEDIUM | XML Injection in `comment.py` due to Unescaped Input The `scripts/comment.py` script constructs XML for comments by embedding the `text` argument into an XML template. The script's documentation explicitly states that `text` should be 'pre-escaped XML'. However, the `_encode_smart_quotes` function only handles a limited set of smart quote characters, not general XML escaping (e.g., for `<`, `>`, `&`). If the LLM or any upstream component fails to properly escape user-provided text before passing it to this script, an attacker could inject arbitrary XML, potentially corrupting the document structure or embedding malicious content that could be interpreted by a document viewer. Ensure that all user-provided text intended for XML content is fully XML-escaped before being embedded into XML templates. The `_encode_smart_quotes` function is insufficient for general XML escaping. A comprehensive XML escaping utility should be used, or the `text` should be passed as a text node to `defusedxml.minidom`'s API directly, rather than string interpolation. | Unknown | scripts/comment.py:67 | |
| INFO | Unpinned `npm` Dependency for `docx` The `SKILL.md` file instructs to install `docx` using `npm install -g docx`. This command installs the latest version globally without specifying a version. Unpinned dependencies can introduce supply chain risks, as a new version might contain breaking changes, unexpected behavior, or even malicious code. Global installations can also lead to version conflicts with other tools. Pin the dependency to a specific version (e.g., `npm install -g docx@1.2.3`) to ensure consistent and predictable behavior. Consider using a project-local installation (`npm install docx`) rather than a global one to avoid conflicts and better isolate dependencies. | Unknown | SKILL.md:58 |
Scan History
Embed Code
[](https://skillshield.io/report/6afc76a2cb0af36b)
Powered by SkillShield