Trust Assessment
docx received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 29 findings: 13 critical, 13 high, 3 medium, and 0 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. The manifest_analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 15, 2026 (commit 3e75fabd). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings29
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-iip566eo/repo/skills/docx/ooxml/scripts/pack.py:103 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-iip566eo/repo/skills/docx/ooxml/scripts/validation/redlining.py:153 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-iip566eo/repo/skills/docx/ooxml/scripts/validation/redlining.py:185 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-iip566eo/repo/skills/docx/scripts/accept_changes.py:68 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-iip566eo/repo/skills/docx/scripts/accept_changes.py:99 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-iip566eo/repo/skills/docx/scripts/office/soffice.py:14 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-iip566eo/repo/skills/docx/scripts/office/soffice.py:37 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-iip566eo/repo/skills/docx/scripts/office/soffice.py:59 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-iip566eo/repo/skills/docx/scripts/office/validators/redlining.py:138 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-iip566eo/repo/skills/docx/scripts/office/validators/redlining.py:167 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Unknown | /tmp/skillscan-clone-iip566eo/repo/skills/docx/scripts/office/soffice.py:25 | |
| CRITICAL | Path Traversal (ZIP Slip) during archive extraction The `unpack.py` script uses `zipfile.ZipFile.extractall()` with a user-controlled `output_directory`. If the `input_file` (a DOCX, PPTX, or XLSX file, which are ZIP archives) contains entries with path traversal sequences (e.g., `../../evil.txt`), it could write files to arbitrary locations outside the intended output directory. A similar vulnerability exists in `validate.py` when it unpacks a user-provided Office file to a temporary directory. Sanitize the `output_directory` to prevent path traversal, or implement a custom extraction logic that validates each member's path before extraction. For `zipfile.extractall`, iterate through `zf.namelist()` and ensure each name does not contain `..` or absolute paths, then use `zf.extract(member, path=sanitized_output_path)`. | Unknown | scripts/office/unpack.py:28 | |
| CRITICAL | Path Traversal (ZIP Slip) during archive extraction in validation The `validate.py` script unpacks a user-provided Office file (which is a ZIP archive) to a temporary directory using `zipfile.ZipFile.extractall()`. If the input file is malicious and contains path traversal sequences (e.g., `../../evil.txt`), it could write files outside the temporary directory to arbitrary locations on the filesystem. Sanitize the `path` to prevent path traversal, or implement a custom extraction logic that validates each member's path before extraction. For `zipfile.extractall`, iterate through `zf.namelist()` and ensure each name does not contain `..` or absolute paths, then use `zf.extract(member, path=sanitized_temp_dir)`. | Unknown | scripts/office/validate.py:59 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Unknown | /tmp/skillscan-clone-iip566eo/repo/skills/docx/scripts/office/soffice.py:25 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'validate_document'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-iip566eo/repo/skills/docx/ooxml/scripts/pack.py:103 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-iip566eo/repo/skills/docx/ooxml/scripts/validation/redlining.py:153 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-iip566eo/repo/skills/docx/ooxml/scripts/validation/redlining.py:185 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'accept_changes'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-iip566eo/repo/skills/docx/scripts/accept_changes.py:68 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_setup_libreoffice_macro'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-iip566eo/repo/skills/docx/scripts/accept_changes.py:99 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_soffice'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-iip566eo/repo/skills/docx/scripts/office/soffice.py:37 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_ensure_shim'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-iip566eo/repo/skills/docx/scripts/office/soffice.py:59 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-iip566eo/repo/skills/docx/scripts/office/validators/redlining.py:138 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-iip566eo/repo/skills/docx/scripts/office/validators/redlining.py:167 | |
| HIGH | XML Injection due to unescaped user input in comments The `comment.py` script inserts user-controlled `text` directly into an XML template (`COMMENT_XML`) without proper XML escaping. Although the skill's documentation states that the text should be pre-escaped, the script does not enforce this. An attacker could inject arbitrary XML tags (e.g., `<w:p>malicious content</w:p>`) into the comment text, potentially corrupting the document structure or injecting malicious XML elements. Before inserting user-provided `text` into the XML, ensure it is properly XML-escaped. Python's `xml.sax.saxutils.escape()` or similar functions can be used to convert special characters (&, <, >, ", ') into their corresponding XML entities. | Unknown | scripts/comment.py:60 | |
| HIGH | Path Traversal in file copy and zip creation The `accept_changes.py` script copies a user-controlled `input_file` to a user-controlled `output_file` using `shutil.copy2`. Similarly, `pack.py` creates a zip archive at a user-controlled `output_file`. If `output_file` contains path traversal sequences (e.g., `../../evil.docx`), these operations could write files to arbitrary locations outside the intended directory. While `output_path.parent.mkdir` is used, it does not prevent traversal if `output_path` itself is malicious. Sanitize user-provided file paths (`output_file`) to prevent path traversal. Ensure that the resolved path does not escape a designated base directory. For example, resolve the path and check if it starts with the expected base directory. | Unknown | scripts/accept_changes.py:30 | |
| HIGH | Path Traversal in file copy and zip creation The `pack.py` script creates a zip archive at a user-controlled `output_file`. If `output_file` contains path traversal sequences (e.g., `../../evil.docx`), these operations could write files to arbitrary locations outside the intended directory. While `output_path.parent.mkdir` is used, it does not prevent traversal if `output_path` itself is malicious. Sanitize user-provided file paths (`output_file`) to prevent path traversal. Ensure that the resolved path does not escape a designated base directory. For example, resolve the path and check if it starts with the expected base directory. | Unknown | scripts/office/pack.py:40 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Unknown | /tmp/skillscan-clone-iip566eo/repo/skills/docx/scripts/office/soffice.py:18 | |
| MEDIUM | Command Injection via argument injection to `soffice` The `soffice.py` script, and by extension `accept_changes.py` and `SKILL.md` examples, pass user-controlled file paths (e.g., `output_path.absolute()`, `document.doc`) as arguments to the `soffice` external binary via `subprocess.run`. While `subprocess.run` with a list of arguments prevents shell injection, `soffice` itself might be vulnerable to argument injection. A specially crafted filename (e.g., `"--convert-to pdf; rm -rf /;"`) could be interpreted by `soffice` as a command-line option or command, leading to arbitrary command execution. Sanitize user-provided file paths before passing them as arguments to external binaries like `soffice`. Ensure that filenames do not contain characters that could be interpreted as command-line options or delimiters by the target application. Consider using a whitelist of allowed characters for filenames or quoting/escaping arguments in a way specific to the `soffice` application's parsing rules, if known. | Unknown | scripts/accept_changes.py:40 | |
| MEDIUM | Supply Chain Risk / Privilege Escalation via dynamic C compilation and LD_PRELOAD The `soffice.py` script dynamically compiles a C source file into a shared library (`.so`) using `gcc` and then uses `LD_PRELOAD` to inject this library into the `soffice` process. While the C source is hardcoded and temporary files are used, this mechanism involves high-privilege operations (compilation, runtime library injection). If the `gcc` compiler or the build environment is compromised, or if an attacker could replace the compiled `.so` file (e.g., via a race condition or insecure temporary directory permissions), it could lead to arbitrary code execution with the privileges of the `soffice` process. This introduces a significant supply chain risk and potential for privilege escalation. Avoid dynamic compilation and `LD_PRELOAD` for security-sensitive operations if possible. If necessary, ensure the build environment is highly secured, temporary directories have strict permissions, and consider integrity checks on the compiled shim. Evaluate if the `AF_UNIX` socket issue can be addressed through less privileged means or by configuring the environment differently. | Unknown | scripts/office/soffice.py:50 |
Scan History
Embed Code
[](https://skillshield.io/report/af9b60e403c6b3a9)
Powered by SkillShield