Trust Assessment
xlsx received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 23 findings: 10 critical, 10 high, 3 medium, and 0 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, static_code_analysis, dependency_graph. The manifest_analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 1ed29a03). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings23
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-_yyzau6s/repo/skills/xlsx/scripts/office/soffice.py:14 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-_yyzau6s/repo/skills/xlsx/scripts/office/soffice.py:37 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-_yyzau6s/repo/skills/xlsx/scripts/office/soffice.py:59 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-_yyzau6s/repo/skills/xlsx/scripts/office/validators/redlining.py:138 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-_yyzau6s/repo/skills/xlsx/scripts/office/validators/redlining.py:167 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-_yyzau6s/repo/skills/xlsx/scripts/recalc.py:34 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-_yyzau6s/repo/skills/xlsx/scripts/recalc.py:55 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-_yyzau6s/repo/skills/xlsx/scripts/recalc.py:92 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-_yyzau6s/repo/skills/xlsx/scripts/office/soffice.py:25 | |
| CRITICAL | Dynamic C Code Compilation and LD_PRELOAD Injection The `soffice.py` script dynamically compiles C code using `gcc` and then uses `LD_PRELOAD` to inject this compiled shared library into the `soffice` process. While the C code (`_SHIM_SOURCE`) is hardcoded within the skill and appears to be a legitimate shim for LibreOffice socket issues, the mechanism itself represents a critical command injection vulnerability. If an attacker could somehow modify the `_SHIM_SOURCE` string (e.g., through a supply chain attack on the skill package), they could execute arbitrary native code with the permissions of the agent. The use of `LD_PRELOAD` grants extremely high privileges, allowing code injection into other processes. Avoid dynamic compilation of code from strings. If a shim is necessary, pre-compile it and include it as a binary asset, ensuring its integrity. Re-evaluate if `LD_PRELOAD` is strictly necessary and if there are safer alternatives for sandboxed environments. | Unknown | scripts/office/soffice.py:40 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-_yyzau6s/repo/skills/xlsx/scripts/office/soffice.py:25 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-_yyzau6s/repo/skills/xlsx/scripts/office/pack.py:117 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_soffice'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-_yyzau6s/repo/skills/xlsx/scripts/office/soffice.py:37 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_ensure_shim'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-_yyzau6s/repo/skills/xlsx/scripts/office/soffice.py:59 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-_yyzau6s/repo/skills/xlsx/scripts/office/validators/redlining.py:138 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-_yyzau6s/repo/skills/xlsx/scripts/office/validators/redlining.py:167 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'recalc'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-_yyzau6s/repo/skills/xlsx/scripts/recalc.py:92 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'has_gtimeout'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-_yyzau6s/repo/skills/xlsx/scripts/recalc.py:34 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'setup_libreoffice_macro'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-_yyzau6s/repo/skills/xlsx/scripts/recalc.py:55 | |
| HIGH | Execution of LibreOffice with Arbitrary File Input and Macro Writing The `recalc.py` script executes the `soffice` (LibreOffice) application via `subprocess.run` and passes an arbitrary `filename` directly as an argument. Although `subprocess.run` with a list of arguments mitigates basic shell injection, `soffice` is a complex application that may have its own vulnerabilities when processing untrusted file paths or content. Furthermore, the script writes a StarBasic macro (`RECALCULATE_MACRO`) to the user's LibreOffice profile directory, modifying the user's system configuration. This macro is then executed by `soffice`, which includes a `ThisComponent.store()` call, allowing the skill to save and potentially overwrite files on the system. Implement strict validation and sanitization of all file paths and names before passing them to external commands like `soffice`. Consider using a dedicated, isolated environment for LibreOffice execution to prevent unintended file system access or macro execution outside the intended scope. Avoid modifying user configuration directories directly; use temporary files or a dedicated, sandboxed LibreOffice instance. | Unknown | scripts/recalc.py:64 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-_yyzau6s/repo/skills/xlsx/scripts/office/validators/pptx.py:207 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-_yyzau6s/repo/skills/xlsx/scripts/office/soffice.py:18 | |
| MEDIUM | Sensitive File Content Read into Memory The `recalc.py` script reads the entire content of the specified Excel file into memory twice using `openpyxl.load_workbook` (once with `data_only=True` and once with `data_only=False`). If the `filename` argument, which can be user-controlled, points to a sensitive file, its entire content will be loaded into the agent's memory. While there's no explicit exfiltration in the provided code, this increases the attack surface and the risk of sensitive data exposure if other vulnerabilities exist or if the agent's memory is compromised. If only specific parts of the spreadsheet are needed, use `openpyxl`'s read-only mode and iterate through cells or rows as needed, rather than loading the entire workbook into memory. Implement data handling best practices to minimize the time sensitive data resides in memory and ensure it is properly cleared. | Unknown | scripts/recalc.py:80 |
Scan History
Embed Code
[](https://skillshield.io/report/6bd228048d1bf7b0)
Powered by SkillShield