xlsx
Warn
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill spawns several system processes to perform its tasks:
scripts/office/soffice.pyexecutesgccto compile a shared object shim library.scripts/recalc.pyandscripts/office/soffice.pyexecutesoffice(LibreOffice) to update Excel formulas.scripts/office/validators/redlining.pyexecutesgit diffto perform document version comparisons.- [REMOTE_CODE_EXECUTION]: The skill performs dynamic code generation and environment-based injection:
scripts/office/soffice.pywrites C source code (_SHIM_SOURCE) to a temporary file, compiles it at runtime into a shared library, and injects it into thesofficeprocess environment using theLD_PRELOADmechanism to bypass socket restrictions.- [PROMPT_INJECTION]: The skill processes external data and has an attack surface for indirect prompt injection:
- Ingestion points: The skill reads and processes user-provided spreadsheet files (
.xlsx,.csv, etc.) as documented inSKILL.md. - Boundary markers: There are no explicit delimiters or safety instructions present to prevent the agent from accidentally obeying instructions embedded within ingested spreadsheet data.
- Capability inventory: The skill can perform arbitrary file system writes and execute subprocesses (documented in
pack.pyandrecalc.py). - Sanitization: The skill uses the
defusedxmlpackage for XML parsing to mitigate XML-based attacks (XXE), but it does not implement sanitization for natural language instructions in the cell content.
Audit Metadata