xlsx
Fail
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill performs runtime code generation, compilation, and injection.
- The script
scripts/office/soffice.pycontains an embedded C source code string (_SHIM_SOURCE) that is written to a temporary file and compiled usinggccat runtime. - The resulting shared library is then loaded into the
sofficeprocess using theLD_PRELOADenvironment variable to intercept system calls. - [COMMAND_EXECUTION]: The skill executes arbitrary commands and performs unsafe file operations.
- The script
scripts/recalc.pyinjects a LibreOffice Basic macro into the user's application configuration directory (~/.config/libreoffice/4/user/basic/Standard/Module1.xbaor macOS equivalent) to automate formula recalculation. - The
unpackfunction inscripts/office/unpack.pyuseszipfile.ZipFile.extractall()on user-provided Office documents without path sanitization, creating a ZipSlip vulnerability that allows for path traversal and arbitrary file write. - Multiple scripts use
subprocess.runto execute external binaries includingsoffice,gcc, andgitacross various modules (scripts/recalc.py,scripts/office/soffice.py,scripts/office/validators/redlining.py). - [PROMPT_INJECTION]: The skill has a significant surface area for indirect prompt injection.
- The agent is instructed to process external spreadsheets and documents which enter the context through
scripts/recalc.pyandscripts/office/unpack.py. - There are no boundary markers or explicit safety instructions to prevent the agent from obeying malicious prompts embedded within these user-provided files.
Recommendations
- AI detected serious security threats
Audit Metadata