xlsx-generator
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The scripts import
npm:xlsx@0.18.5. This version is affected by a known Prototype Pollution vulnerability (CVE-2023-30533). When processing maliciously crafted workbooks, this could potentially lead to remote code execution or denial of service in the Deno environment.\n- PROMPT_INJECTION (LOW): The skill facilitates an indirect prompt injection surface by processing external data to modify spreadsheets without sanitization.\n - Ingestion points:
scripts/analyze-template.tsreads XLSX files;scripts/generate-from-template.tsreads XLSX templates and JSON specification files.\n - Boundary markers: No delimiters or safety instructions are used to distinguish template structure from untrusted content.\n
- Capability inventory: The
generate-from-template.tsscript allows the creation of arbitrary Excel formulas via thecellUpdatesproperty in the specification JSON.\n - Sanitization: The skill performs no validation or escaping of strings or formulas before inserting them into the output spreadsheet.
Audit Metadata