Skills
skills/weihuizhong/skills/xlsx/Gen Agent Trust Hub

xlsx

Fail

Audited by Gen Agent Trust Hub on Mar 5, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: Runtime code compilation and process injection.
  • The file scripts/office/soffice.py contains logic to write C source code to a temporary file and compile it into a shared library using the gcc compiler at runtime.
  • The skill uses the LD_PRELOAD environment variable to inject the resulting shared library into the soffice (LibreOffice) process. This technique is used to intercept and modify standard system calls (such as socket, listen, and accept), which is a behavior typically associated with unauthorized process manipulation or rootkit functionality.
  • In scripts/recalc.py, the skill writes a StarBasic macro (Module1.xba) directly into the LibreOffice user configuration directory (~/.config/libreoffice/... on Linux or ~/Library/Application Support/LibreOffice/... on macOS). This modifies the application's global state and persists the macro across different sessions.
  • Multiple scripts (pack.py, recalc.py, redlining.py) use subprocess.run to execute external system tools like soffice, gcc, and git with parameters derived from file paths.
  • [PROMPT_INJECTION]: Indirect prompt injection surface and deceptive metadata.
  • The skill is designed to process untrusted Office documents provided by users. Because it triggers the execution of LibreOffice and macro-based recalculation on these files, it creates a surface for indirect prompt injection where malicious spreadsheet content could exploit the spreadsheet processing logic or the underlying Office suite.
  • Mandatory Evidence Chain for Indirect Injection:
  • Ingestion points: scripts/office/unpack.py and scripts/recalc.py read and unpack external Office files.
  • Boundary markers: No specific delimiters or warnings to ignore embedded instructions are provided in the generated code or instructions.
  • Capability inventory: The skill has extensive capabilities including file system write access, system command execution (gcc, git), and application configuration modification.
  • Sanitization: While defusedxml is used for XML parsing, there is no validation or sanitization of spreadsheet formulas or logic before the recalc.py script triggers a full recalculation via LibreOffice.
  • Deceptive Metadata: There is a significant discrepancy between the author context provided (weihuizhong) and the internal file metadata (e.g., LICENSE.txt and SKILL.md), which claims the materials are proprietary to Anthropic, PBC. This misleading information can lead to a misjudgment of the skill origin and its associated risks.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 5, 2026, 01:50 PM