Trust Assessment
xlsx received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 11 findings: 3 critical, 5 high, 2 medium, and 1 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Network egress to untrusted endpoints.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 1/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings11
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/document-processing/xlsx/recalc.py:31 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/document-processing/xlsx/recalc.py:84 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/document-processing/xlsx/recalc.py:92 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'recalc'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/document-processing/xlsx/recalc.py:92 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'setup_libreoffice_macro'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/document-processing/xlsx/recalc.py:31 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'recalc'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/document-processing/xlsx/recalc.py:84 | |
| HIGH | Execution of external application (`soffice`) with potentially untrusted input The `recalc.py` script executes the `soffice` (LibreOffice) application using `subprocess.run`. The file path (`abs_path`) passed to `soffice` is derived from the `filename` argument, which can originate from the LLM's output (and thus be influenced by untrusted user input). While `subprocess.run` is used with a list of arguments, mitigating direct shell injection, `soffice` is a complex application. Processing a specially crafted `.xlsx` file could exploit vulnerabilities within `soffice` itself (e.g., parsing bugs, memory corruption, arbitrary code execution flaws), leading to compromise of the host system. The script's design to use a specific, hardcoded macro (`RecalculateAndSave`) mitigates risks from *macros within the input file*, but not from other types of `soffice` vulnerabilities. 1. **Input Validation**: Strictly validate and sanitize the `filename` argument to ensure it only contains safe characters and does not attempt path traversal or other malicious constructs. 2. **Sandboxing**: Execute `soffice` within a tightly constrained sandbox environment (e.g., Docker container, gVisor, firejail) with minimal permissions and network access. 3. **Alternative Libraries**: Explore pure-Python libraries for formula recalculation if available and suitable, to avoid external process execution. 4. **Least Privilege**: Ensure the user running the `soffice` process has the absolute minimum necessary permissions. | Static | recalc.py:59 | |
| HIGH | LLM analysis found no issues despite critical deterministic findings Deterministic layers flagged 3 CRITICAL findings, but LLM semantic analysis returned clean. This may indicate prompt injection or analysis evasion. | LLM | (sanity check) | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Excessive permissions due to full office suite execution The skill relies on executing the full LibreOffice suite (`soffice`) to recalculate formulas. While necessary for its function, `soffice` is a large, complex application with broad capabilities (e.g., extensive file system access, network access, macro execution, scripting). Running such a powerful application with potentially untrusted input (an Excel file generated by the LLM, which can be influenced by user input) grants a wide attack surface. Even if direct macro execution from the input file is mitigated, other vulnerabilities in `soffice` could be exploited due to its extensive capabilities. 1. **Sandboxing**: Execute `soffice` in a highly restricted environment (e.g., Docker container, gVisor, firejail) to limit its access to the host system's resources. 2. **Minimize `soffice` capabilities**: Investigate if `soffice` can be run with further restrictions (e.g., disabling specific components or features) to reduce its attack surface. 3. **Consider alternatives**: If possible, use a more lightweight, purpose-built tool or library that only handles formula recalculation without the full overhead and potential vulnerabilities of a complete office suite. | Static | recalc.py:59 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/dc4d7414f9fad7e5)
Powered by SkillShield