xlsx
Fail
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DYNAMIC_EXECUTION]: In
scripts/office/soffice.py, the skill includes a complete C source code string (_SHIM_SOURCE) that is written to a temporary file and compiled at runtime usinggccinto a shared object. The skill then uses theLD_PRELOADenvironment variable to inject this library into thesofficeprocess, hijacking system calls likesocket,listen, andaccept. - [COMMAND_EXECUTION]: The skill performs several direct command executions via the
subprocessmodule: scripts/recalc.pyandscripts/office/soffice.pyexecutesofficeto perform formula calculations.scripts/office/soffice.pyexecutesgccto compile the dynamic shim library.scripts/office/validators/redlining.pyexecutesgit diffto compare document versions.- [PERSISTENCE_MECHANISMS]: The
scripts/recalc.pyscript modifies the local environment by writing a persistent StarBasic macro (Module1.xba) to the LibreOffice user configuration directory on both Linux and macOS. - [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process untrusted spreadsheet data which may contain embedded instructions.
- Ingestion points: Data enters the agent context via
pandasandopenpyxlwhen reading.xlsx,.csv, and.tsvfiles as specified inSKILL.mdand processed in various scripts. - Boundary markers: No boundary markers or 'ignore' instructions are used when interpolating file data into the agent's reasoning path.
- Capability inventory: The skill has the capability to write files, modify system configurations, and execute arbitrary commands via the recalculation and shim compilation scripts.
- Sanitization: No evidence of data sanitization or validation of cell contents before they are processed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata