excel
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill's core functionality involves reading and writing Excel spreadsheets, which serves as a major vector for Indirect Prompt Injection. A malicious spreadsheet could contain hidden instructions that manipulate the agent's behavior.
- Ingestion points: External data read from spreadsheets via
spreadsheet_fileand workflow outputs. - Boundary markers: None identified. The instructions do not define delimiters or provide warnings to the agent to ignore instructions embedded in the spreadsheet content.
- Capability inventory: The skill can execute local commands, write files to the user's desktop, and automatically launch applications using the
opencommand. - Sanitization: No sanitization or validation of external content is performed before the agent processes or acts upon it.
- [COMMAND_EXECUTION] (MEDIUM): The execution logic uses a shell script that parses JSON metadata from the Refly API (
jq -r '.payload.files[]') and dynamically constructs commands for file downloading and opening. This pattern is vulnerable to command injection or unauthorized execution if the remote API returns malicious metadata (e.g., manipulated filenames). - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill downloads generated
.xlsxfiles from the Refly platform (refly.ai) to the local desktop. This functionality introduces a dependency on the security and integrity of a third-party, non-trusted infrastructure.
Recommendations
- AI detected serious security threats
Audit Metadata