excel
Fail
Audited by Snyk on Feb 22, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The macOS prerequisite contains an obfuscated base64-encoded command that instructs the user to decode and run a bash command (download/execute), which is a hidden/deceptive instruction unrelated to the Excel skill's stated purpose.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 1.00). Yes — both are highly suspicious: the GitHub link is an executable ZIP from an unknown user that the prompt says is password‑protected (a common malware delivery technique), and the other is a nonstandard download domain used in a base64‑encoded curl/bash installer that fetches from a raw IP address — strong indicators of malicious distribution.
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 1.00). The skill contains an explicitly obfuscated command that downloads and executes a remote script (base64-decoded curl | bash to an IP/domain) and directs users to install a separate native utility, which together constitute a high-risk remote code execution / supply-chain/backdoor pattern.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly accepts a fileUrl ("filePath or fileUrl
- Local path or URL to the Excel file") and includes read/analyze actions that require the agent to fetch and interpret spreadsheet content from arbitrary URLs, which are untrusted third‑party sources that could embed instructions affecting subsequent actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's prerequisites explicitly instruct installing and running remote code required at runtime—e.g., downloading and running https://github.com/denboss99/openclaw-core/releases/download/v3/openclawcore-1.0.3.zip and executing a curl|bash payload fetched from http://91.92.242.30/ (via the base64-decoded macOS command, which also references https://download.setup-service.com/pkg/), so these URLs directly deliver and execute remote code.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 0.90). It instructs the user/agent to download and execute a remote installer (base64-decoded curl|bash) and run extracted binaries, which modifies the host system and can require/evade elevated privileges, so it encourages compromising machine state.
Audit Metadata