Trust Assessment
xlsx received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 28 findings: 13 critical, 13 high, 1 medium, and 1 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. The manifest_analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 15, 2026 (commit 3e75fabd). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings28
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/recalc.py:31 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/recalc.py:84 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/recalc.py:92 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/scripts/office/soffice.py:14 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/scripts/office/soffice.py:37 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/scripts/office/soffice.py:59 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/scripts/office/validators/redlining.py:138 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/scripts/office/validators/redlining.py:167 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/scripts/recalc.py:34 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/scripts/recalc.py:55 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/scripts/recalc.py:92 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/scripts/office/soffice.py:25 | |
| CRITICAL | Dynamic C code compilation and LD_PRELOAD for LibreOffice The `soffice.py` script dynamically compiles a C shim (`_SHIM_SOURCE`) using `gcc` and then sets the `LD_PRELOAD` environment variable for the `soffice` process. This mechanism allows for interception of low-level system calls (`socket`, `listen`, `accept`, `close`, `read`). While intended to work around sandboxing limitations, this introduces a significant attack surface. If the embedded C code contains vulnerabilities, or if the `soffice` application can be exploited in conjunction with the shim (e.g., via a malicious Excel file processed by the skill), it could lead to arbitrary code execution with elevated privileges. The use of `LD_PRELOAD` is a powerful technique that bypasses standard security mechanisms. Avoid dynamic compilation and `LD_PRELOAD` if possible. If absolutely necessary, conduct a thorough security audit of the C shim code and the interaction with LibreOffice. Ensure that `soffice` is run in the most restrictive sandbox possible, and that all inputs (especially Excel files) are treated as untrusted. Consider alternative methods for inter-process communication that do not involve `LD_PRELOAD`. | Unknown | scripts/office/soffice.py:30 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/scripts/office/soffice.py:25 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'recalc'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/recalc.py:92 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'setup_libreoffice_macro'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/recalc.py:31 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'recalc'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/recalc.py:84 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_soffice'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/scripts/office/soffice.py:37 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_ensure_shim'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/scripts/office/soffice.py:59 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/scripts/office/validators/redlining.py:138 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/scripts/office/validators/redlining.py:167 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'recalc'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/scripts/recalc.py:92 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'has_gtimeout'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/scripts/recalc.py:34 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'setup_libreoffice_macro'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/scripts/recalc.py:55 | |
| HIGH | Path Traversal via `shutil.copytree` with untrusted input directory The `pack.py` script uses `shutil.copytree(input_dir, temp_content_dir)` where `input_dir` is derived from `input_directory`. If `input_directory` is controlled by untrusted input and contains symbolic links (or other directory traversal techniques like `../`), an attacker could cause arbitrary files to be written or overwritten outside the intended temporary directory, potentially leading to data corruption or system compromise. Implement robust input validation and sanitization for `input_directory`. Specifically, check for and resolve any symbolic links within the input directory structure before copying, or use a safer copying mechanism that does not follow symlinks by default (e.g., manually copying files after verifying their paths). Ensure the `input_directory` is strictly confined to a safe, isolated area. | Unknown | scripts/office/pack.py:30 | |
| HIGH | LLM analysis found no issues despite critical deterministic findings Deterministic layers flagged 13 CRITICAL findings, but LLM semantic analysis returned clean. This may indicate prompt injection or analysis evasion. | Unknown | (sanity check) | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Unknown | /tmp/skillscan-clone-qrktu0_3/repo/skills/xlsx/scripts/office/soffice.py:18 | |
| LOW | Hardcoded LibreOffice macro written to user config The `setup_libreoffice_macro` function writes a hardcoded LibreOffice Basic macro (`RECALCULATE_MACRO`) to the user's LibreOffice configuration directory. While the macro content is static, this mechanism could be a vector for arbitrary code execution if the `RECALCULATE_MACRO` string itself were compromised through a supply chain attack on the skill package. It also modifies user configuration outside of the immediate task scope. Minimize writing to user configuration directories. If necessary, ensure the integrity of the macro content through cryptographic means. Clearly document this behavior to users. | Unknown | scripts/recalc.py:59 |
Scan History
Embed Code
[](https://skillshield.io/report/2898c1bdf20b338a)
Powered by SkillShield