excel-variance-analyzer
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted financial data from external sources (Excel, CSV) that could contain malicious instructions.
- Ingestion points: Budget and actual data files (Excel, CSV, or pasted tables) as specified in Step 1 of SKILL.md.
- Boundary markers: Absent; the instructions do not require the use of delimiters or specific warnings to ignore embedded commands when processing external content.
- Capability inventory: Significant tools are available, including file system access (Read, Write, Edit, Glob, Grep) and shell command execution via Bash (npx).
- Sanitization: Absent; while the skill checks for numeric values, it lacks validation to filter out or escape instructional text that might be hidden in data headers or non-numeric fields.
Audit Metadata