Trust Assessment
xlsx-pro received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 23 findings: 9 critical, 9 high, 5 medium, and 0 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings23
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ricobaboule/xlsx-pro/scripts/office/soffice.py:13 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ricobaboule/xlsx-pro/scripts/office/soffice.py:48 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ricobaboule/xlsx-pro/scripts/office/soffice.py:76 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ricobaboule/xlsx-pro/scripts/recalc.py:50 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ricobaboule/xlsx-pro/scripts/recalc.py:75 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ricobaboule/xlsx-pro/scripts/recalc.py:127 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/ricobaboule/xlsx-pro/scripts/office/soffice.py:30 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/ricobaboule/xlsx-pro/scripts/recalc.py:20 | |
| CRITICAL | Dynamic compilation and execution of C code via `gcc` The `scripts/office/soffice.py` module dynamically compiles an embedded C source string (`_SHIM_SOURCE`) into a shared library (`.so`) using `gcc` and then uses `LD_PRELOAD` to load it. This process involves executing `gcc` with arguments derived from internal script logic. While the C source is hardcoded within the script, the ability to compile and execute C code at runtime represents a significant security primitive. If the `gcc` command itself were compromised, or if the `_SHIM_SOURCE` could be manipulated (e.g., via a supply chain attack on the repository or temporary file system), it could lead to arbitrary code execution with the agent's permissions. This also falls under hidden instructions as C code is embedded and dynamically executed. Avoid dynamic compilation of code at runtime if possible. If necessary, ensure the compiler path is fully qualified, and the source code and output paths are strictly controlled and protected. Consider pre-compiling the shim and including it as a binary asset rather than compiling it at runtime. | LLM | scripts/office/soffice.py:69 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/ricobaboule/xlsx-pro/scripts/office/soffice.py:30 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/ricobaboule/xlsx-pro/scripts/recalc.py:20 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_soffice'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ricobaboule/xlsx-pro/scripts/office/soffice.py:48 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_ensure_shim'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ricobaboule/xlsx-pro/scripts/office/soffice.py:76 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'has_gtimeout'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ricobaboule/xlsx-pro/scripts/recalc.py:50 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'recalc'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ricobaboule/xlsx-pro/scripts/recalc.py:127 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'setup_libreoffice_macro'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ricobaboule/xlsx-pro/scripts/recalc.py:75 | |
| HIGH | User-controlled filename passed to external command The `recalc.py` script takes a user-provided filename (from the skill's input) and passes it directly as an argument to the `soffice` command via `subprocess.run`. While `subprocess.run` with a list of arguments mitigates basic shell injection, a specially crafted filename could potentially exploit vulnerabilities in `soffice`'s argument parsing or file handling, leading to unintended actions or arbitrary code execution within the context of the agent's permissions. Validate and sanitize user-provided filenames rigorously before passing them to external commands. Consider using a whitelist of allowed characters or ensuring the path is canonicalized and does not contain special characters or directory traversal sequences. | LLM | scripts/recalc.py:106 | |
| HIGH | Unpinned Python dependencies The `pip install` commands in `SKILL.md` specify Python packages (`openpyxl`, `pandas`, `xlrd`, `xlwt`) without pinning them to specific versions. This can lead to vulnerabilities if a future version of any of these packages introduces malicious code, breaking changes, or new security flaws. It also makes builds non-deterministic. Pin all Python dependencies to exact versions (e.g., `openpyxl==3.0.9`). Use a `requirements.txt` file with hashed dependencies for stronger integrity checks. | LLM | SKILL.md:15 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/ricobaboule/xlsx-pro/scripts/office/__init__.py:3 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/ricobaboule/xlsx-pro/scripts/office/soffice.py:2 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/ricobaboule/xlsx-pro/scripts/recalc.py:3 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/ricobaboule/xlsx-pro/scripts/office/soffice.py:17 | |
| MEDIUM | Unpinned system dependencies The `sudo apt-get install` command in `SKILL.md` specifies system packages (`libreoffice-calc`, `libreoffice-common`) without pinning them to specific versions. This can lead to vulnerabilities if a future version of LibreOffice introduces malicious code, breaking changes, or new security flaws. Specify exact versions for system dependencies if possible, or use a containerized environment with a fixed base image to ensure deterministic installations. | LLM | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/7f503c69c731d8c4)
Powered by SkillShield