spreadsheet-processor
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The script
recalc.pyinvokes system binaries (soffice,timeout, andgtimeout) usingsubprocess.run. While it avoidsshell=True, it performs platform-dependent command construction and executes external software to process user-provided files. - Persistence and Dynamic Execution (MEDIUM): The function
setup_libreoffice_macrowrites an executable StarBasic macro (RecalculateAndSave) to the user's persistent configuration path (e.g.,~/.config/libreoffice/4/user/basic/Standard/Module1.xba). This modifies the filesystem outside the immediate working directory and creates executable logic that persists across sessions. - Indirect Prompt Injection (LOW):
- Ingestion points: In
recalc.py, the script reads and parses all cell values from an untrusted Excel file usingopenpyxlto check for error strings. - Boundary markers: None. The script iterates through raw cell content without using delimiters or instructions to the LLM to ignore embedded commands.
- Capability inventory: File system write (macro generation), file system read (workbook parsing), and system process execution (LibreOffice).
- Sanitization: No sanitization or escaping is performed on the data extracted from the Excel cells before it is returned in the JSON result, which could lead to downstream prompt injection if an agent processes the cell coordinates or error summaries.
Audit Metadata