xlsx
Fail
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/office/soffice.pydynamically generates C source code and executesgccviasubprocess.runto compile it into a shared library at runtime. - [COMMAND_EXECUTION]: The skill utilizes the
LD_PRELOADenvironment variable to inject a compiled shared library into thesofficeprocess. This process-hooking technique is used to intercept system calls likesocket,listen, andacceptto bypass environment restrictions. - [COMMAND_EXECUTION]: The script
scripts/recalc.pyexecutessofficewith parameters designed to trigger a dynamically configured LibreOffice Basic macro (RecalculateAndSave). - [COMMAND_EXECUTION]: The scripts
scripts/office/pack.pyandvalidate.pyuseRedliningValidator, which executesgit diffviasubprocess.runto compare document versions. - [PROMPT_INJECTION]: The skill exposes an indirect prompt injection surface through the following evidence chain: 1. Ingestion points: Untrusted data is read from spreadsheets via
pd.read_excelandload_workbook(SKILL.md). 2. Boundary markers: Absent. 3. Capability inventory: The skill can execute system commands and compile code viasubprocess.runandgcc(soffice.py). 4. Sanitization: External content is processed without validation or filtering.
Recommendations
- AI detected serious security threats
Audit Metadata