xlsx
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Command Execution (MEDIUM): The file
scripts/office/soffice.pyperforms runtime compilation of a C shim usinggccand injects it into thesofficeprocess viaLD_PRELOAD. This is a sophisticated process injection technique. While necessary for the skill's functionality in certain environments, it is a high-risk pattern. The severity is adjusted to MEDIUM as it is essential to the primary task.\n- Command Execution (MEDIUM): Thesoffice.pyscript uses a fixed, predictable filename in a world-writable directory (/tmp/lo_socket_shim.so) for its compiled library. This is vulnerable to symlink attacks or library hijacking by other local users.\n- Command Execution (LOW): The scriptscripts/recalc.pywrites a persistent Basic macro to the LibreOffice configuration directory (Module1.xba). This modifies the application state across sessions, which could be used for persistence, although here it is used for formula recalculation.\n- Indirect Prompt Injection (LOW): The skill ingests and parses untrusted Office documents, which serves as a surface for indirect prompt injection.\n - Ingestion points: Document data is read via
unpack.py,recalc.py, andvalidate.py.\n - Boundary markers: No explicit delimiters or instructions were found in the code to isolate document content from the agent's logic.\n
- Capability inventory: The skill can execute system commands (
gcc,git,soffice) and write files to the local system.\n - Sanitization: The skill utilizes
defusedxmlto mitigate XXE vulnerabilities, but lacks sanitization for the semantic content or formulas within the processed files.
Audit Metadata