Skills
skills/duffycoder/awesome-sophnet-skills/sophnet-xlsx/Gen Agent Trust Hub

sophnet-xlsx

Fail

Audited by Gen Agent Trust Hub on Mar 10, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: Runtime compilation of a C shared library.
  • File: scripts/office/soffice.py
  • Description: The script contains a embedded C source string (_SHIM_SOURCE) that it writes to a temporary file and compiles into a shared object (.so) using gcc at runtime. This library is designed to intercept and shim socket-related system calls.
  • [COMMAND_EXECUTION]: Process injection via LD_PRELOAD.
  • File: scripts/office/soffice.py
  • Description: The script sets the LD_PRELOAD environment variable to the path of its custom-compiled shared library when launching the soffice (LibreOffice) process. This forces the process to load the shim and allows the skill to intercept its internal communications.
  • [COMMAND_EXECUTION]: Persistence via application macro installation.
  • File: scripts/recalc.py
  • Description: The skill automatically installs a StarBasic macro (Module1.xba) into the user's local LibreOffice configuration directory (~/Library/Application Support/LibreOffice/4/user/basic/Standard or ~/.config/libreoffice/4/user/basic/Standard). This modification persists across application sessions.
  • [DATA_EXFILTRATION]: Automated upload of local spreadsheet data.
  • File: scripts/upload_file.sh
  • Description: The skill includes mandatory instructions to upload created or modified spreadsheet files to an external service using the sophnet_tools library. While this is identified as a vendor-provided resource, it represents a significant data exfiltration surface for sensitive tabular data.
  • [PROMPT_INJECTION]: Vulnerability to indirect prompt injection.
  • Ingestion points: scripts/recalc.py, scripts/office/unpack.py, and scripts/office/validate.py ingest untrusted spreadsheet and XML data into the agent context.
  • Boundary markers: No explicit delimiters or instructions are used to separate external data from agent commands.
  • Capabilities: The skill has extensive capabilities including arbitrary command execution via subprocess.run (to call gcc, soffice, and uv), file system write access, and network transmission.
  • Sanitization: The skill mitigates common XML vulnerabilities by using the defusedxml library.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 10, 2026, 03:50 AM