xlsx
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DYNAMIC_EXECUTION]: The script
scripts/office/soffice.pydynamically generates C source code from a hardcoded string, compiles it at runtime usinggcc, and injects the resulting shared object into thesofficeprocess usingLD_PRELOAD. This technique is used to shim AF_UNIX socket operations, which can be restricted in sandboxed environments. While serving a functional purpose for the skill's primary task of formula recalculation, such process injection and runtime compilation are high-risk patterns. - [PROMPT_INJECTION]: The skill contains a vulnerability surface for indirect prompt injection (Category 8). 1. Ingestion points: Untrusted data from external spreadsheets is read into the agent's context via
pandasoperations as described inSKILL.md. 2. Boundary markers: The skill's instructions do not include delimiters or specific warnings to ignore instructions embedded within the spreadsheet data. 3. Capability inventory: The skill has powerful capabilities, including arbitrary command execution throughsubprocess.run(found inscripts/recalc.pyandscripts/office/soffice.py) and file system access. 4. Sanitization: While the skill usesdefusedxmlfor secure XML processing, it lacks sanitization or filtering for the actual content of the tabular data before it is processed by the agent.
Audit Metadata