xlsx

The recalc.py script, which is a core component of this skill, utilizes subprocess.run to execute external system commands. Specifically, it invokes soffice (LibreOffice) to recalculate Excel formulas and potentially timeout or gtimeout for process management. This grants the agent the capability to execute arbitrary commands on the host system. Although the current implementation uses these commands for a stated, benign purpose (spreadsheet processing), the underlying mechanism is a direct form of COMMAND_EXECUTION and presents a medium security risk.

Furthermore, the recalc.py script's setup_libreoffice_macro function creates a macro file (Module1.xba) within the user's LibreOffice configuration directory (~/Library/Application Support/LibreOffice/4/user/basic/Standard on macOS or ~/.config/libreoffice/4/user/basic/Standard on Linux). This is a form of system modification and configuration of an external application. This reliance on and interaction with an external system dependency (LibreOffice) is a significant aspect of the skill's operation.

No evidence of prompt injection, data exfiltration to malicious domains, or sophisticated obfuscation was found. The _meta.json references a GitHub commit from clawdbot/skills, which is not a trusted organization, but this is a reference and not a dynamic download or execution.