xlsx
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
recalc.pyscript executes system commands usingsubprocess.run, specifically callingsoffice(LibreOffice) andtimeout(orgtimeouton macOS). These commands are used to trigger formula recalculation in a headless office environment. - [COMMAND_EXECUTION]: The skill modifies the local host configuration by writing a LibreOffice Basic macro (
Module1.xba) to the user's application configuration directory (e.g.,~/.config/libreoffice/or~/Library/Application Support/LibreOffice/). This persistent modification is required for the skill's calculation features but represents a change to the local environment. - [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection as it processes untrusted external spreadsheet data.
- Ingestion points: Data is ingested from user-provided Excel, CSV, and TSV files using
pandasandopenpyxlas detailed inSKILL.mdandrecalc.py. - Boundary markers: No boundary markers or explicit instructions are provided to the agent to treat data within cells as untrusted or to ignore instructions embedded in the data.
- Capability inventory: The skill is capable of writing files to the local filesystem and executing system commands through the
recalc.pyscript. - Sanitization: No sanitization, validation, or filtering of the spreadsheet content is performed before processing or recalculation.
- [PROMPT_INJECTION]: There is a metadata discrepancy: the skill author is identified as
cam10001110101, while theLICENSE.txtfile claims copyright byAnthropic, PBC. This inconsistency could be misleading regarding the skill's provenance.
Audit Metadata