xlsx
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Persistence Mechanisms] (HIGH): The script
recalc.pymodifies the user's global LibreOffice configuration directory (~/.config/libreoffice/4/user/basic/Standardor the macOS equivalent) to install a StarBasic macro (Module1.xba). This modification is permanent and alters the application's behavior beyond the scope of the skill's execution. - [Indirect Prompt Injection] (HIGH): The skill ingests untrusted Excel files and processes them using complex parsers (LibreOffice and
openpyxl). - Ingestion points: The
filenameargument inrecalc.py(viasys.argv[1]). - Boundary markers: None detected; the script directly loads and processes the provided file path.
- Capability inventory: Subprocess execution (
soffice,timeout,gtimeout) and file system write access (open(macro_file, 'w')). - Sanitization: None; the script converts the path to an absolute path but does not validate the file content or safely sandbox the LibreOffice execution.
- [Dynamic Execution] (MEDIUM): The script generates executable code (StarBasic macro) at runtime and writes it to the disk before invoking it via
subprocess.run. Although the macro content is currently hardcoded, this pattern of script generation and execution increases the attack surface. - [Command Execution] (LOW): The script uses
subprocess.runto call system binaries. While it uses argument lists (reducing shell injection risk), it relies on the presence and integrity of external tools likesofficeandtimeout.
Recommendations
- AI detected serious security threats
Audit Metadata