sheet
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8).
- Ingestion points: The
readcommand inscripts/sheet_api.pypulls data from arbitrary Google Sheets URLs. - Boundary markers: There are no delimiters or instructions to ignore embedded commands mentioned in the documentation or provided code.
- Capability inventory: The skill possesses significant capabilities including modifying spreadsheets (
update,append,clearcommands) and writing local files (-o output.json/csv). - Sanitization: No sanitization of spreadsheet content is implemented, allowing an attacker to hijack the agent's logic via cell contents.
- DATA_EXFILTRATION (HIGH): The skill targets and utilizes highly sensitive authentication data (Category 2).
- Evidence: The documentation explicitly references accessing
~/.config/gcloud/application_default_credentials.json(Linux/macOS) and%APPDATA%\gcloud\application_default_credentials.json(Windows). These files contain persistent credentials that grant broad access to the user's entire Google Cloud environment, not just specific sheets. - COMMAND_EXECUTION (HIGH): The skill requires the agent to execute powerful shell commands (Category 5).
- Evidence: Setup instructions require
sudo apt-getfor package installation andgcloud authfor authentication. Furthermore, theuv runexecution pattern allows for arbitrary Python execution and runtime environment modification. - EXTERNAL_DOWNLOADS (LOW): The skill performs remote downloads during setup and execution (Category 4).
- Evidence: It downloads the Google Cloud SDK and uses
uvto dynamically fetchgoogle-authandgoogle-api-python-clientat runtime. While these sources (Google and PyPI) are generally trusted, they represent an external dependency chain.
Recommendations
- AI detected serious security threats
Audit Metadata