xlsx
Fail
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The
recalc.pyscript usessubprocess.runandsubprocess.Popento execute system binaries likesofficeandXvfb. This provides a mechanism for the skill to interact with the operating system, which could be exploited if file paths or parameters are controlled by an attacker.\n- [REMOTE_CODE_EXECUTION]: The scriptrecalc.pydynamically writes a LibreOffice Basic macro to the user's persistent application configuration folder (~/.config/libreoffice/or~/Library/Application Support/LibreOffice/). This macro is then automatically loaded and executed by LibreOffice, establishing a form of persistence and local code execution.\n- [PROMPT_INJECTION]: The skill is designed to ingest and process data from external spreadsheets, creating a vulnerability to indirect prompt injection.\n - Ingestion points: Files are read using
pandasandopenpyxlinrecalc.pyand through examples provided inSKILL.md.\n - Boundary markers: There are no markers or instructions implemented to prevent the agent from following commands embedded within spreadsheet cells.\n
- Capability inventory: The skill possesses the ability to execute shell commands and modify the local filesystem.\n
- Sanitization: No input validation or content filtering is performed on the spreadsheet data before it is processed.\n- [EXTERNAL_DOWNLOADS]: The skill requires
LibreOfficeto be installed on the host and uses thepandasandopenpyxlPython packages.
Recommendations
- AI detected serious security threats
Audit Metadata