xlsx
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill contains logic to compile C source code at runtime using
gcc. The resulting shared object is then injected into the LibreOffice (soffice) process environment via theLD_PRELOADenvironment variable. This is a high-risk pattern that allows for the execution of arbitrary compiled code and process-level manipulation (File:scripts/office/soffice.py). - [COMMAND_EXECUTION]: The skill uses
subprocess.runto execute multiple system commands, including invoking the C compiler (gcc) and launching the LibreOffice suite with specialized arguments (Files:scripts/office/soffice.py,scripts/recalc.py). - [COMMAND_EXECUTION]: The recalculation script automatically writes a StarBasic macro to the user's application configuration directory (e.g.,
~/.config/libreoffice/...). This constitutes unauthorized modification of application configuration and persistence of custom executable logic within the productivity suite (File:scripts/recalc.py). - [PROMPT_INJECTION]: The skill represents a significant surface for indirect prompt injection (Category 8):
- Ingestion points: Reads external spreadsheet data using
pandas.read_excelandopenpyxl.load_workbook(File:SKILL.md). - Boundary markers: No delimiters or instructions are provided to the agent to ignore potentially malicious content or formulas within the processed files.
- Capability inventory: The skill has extensive capabilities including file system write access, arbitrary command execution via subprocess, and runtime code compilation (File:
scripts/office/soffice.py). - Sanitization: Content is parsed for XML well-formedness (using
defusedxml), but there is no sanitization or filtering of data/formulas before they are processed by the agent or the recalculation engine.
Recommendations
- AI detected serious security threats
Audit Metadata