excel-automation
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Use of
osascriptfor programmatic control of the Microsoft Excel UI on macOS. This capability allows the agent to manipulate the application window and active sheets via AppleScript instructions provided in the skill documentation. - [COMMAND_EXECUTION]: Execution of the system
fileutility viasubprocess.runinscripts/parse_complex_excel.py. This is used to determine the MIME type of files before processing, representing a vector for system command execution. - [COMMAND_EXECUTION]: Vulnerable ZIP extraction in
scripts/parse_complex_excel.py. Thefix_defined_namesfunction utilizeszf.extractall()on user-provided Excel files without performing path validation. This is susceptible to 'ZipSlip' attacks, where a malicious archive could overwrite sensitive files outside the intended temporary directory. - [PROMPT_INJECTION]: Deceptive metadata poisoning via the
.security-scan-passedfile. This file contains a fabricated security verdict and content hash, which is a common obfuscation tactic used to provide a false sense of security and bypass manual or automated review processes. - [PROMPT_INJECTION]: Indirect Prompt Injection Surface (Category 8):
- Ingestion points:
scripts/parse_complex_excel.pyreads cell data and XML structures from external.xlsxand.xlsmfiles. - Boundary markers: Absent. The skill does not use delimiters or instructions to differentiate between data and commands when processing Excel content.
- Capability inventory: UI automation via AppleScript, file system writes via ZIP repackaging, and subprocess execution.
- Sanitization: Absent. Extracted cell values and XML text are processed as raw strings without validation or sanitization before being displayed or used.
Audit Metadata