xlsx
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [Command Execution] (SAFE): The skill uses
subprocess.runto callsoffice(LibreOffice) and system timeout utilities. These calls use list-based arguments, which prevents shell injection vulnerabilities. This behavior is essential for the skill's purpose of automating Excel recalculation. - [Dynamic Execution] (SAFE): The skill generates a StarBasic macro file (
Module1.xba) and stores it in the LibreOffice user profile directory. While this constitutes dynamic code generation, the macro content is hardcoded, benign, and restricted to calculating and saving the document. - [Indirect Prompt Injection] (SAFE): The skill processes external Excel files, which represents a potential ingestion surface for untrusted data.
- Ingestion points:
recalc.pyreads cell data using theopenpyxllibrary to scan for Excel errors. - Boundary markers: Absent; however, the skill does not interpret cell content as instructions.
- Capability inventory: File system access and subprocess execution (
soffice). - Sanitization: The script treats cell values strictly as strings for comparison against static error codes (e.g., '#VALUE!'), preventing any execution of content found within the spreadsheet cells.
Audit Metadata