excel-parser
Warn
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The function
install_dependencyinscripts/excel_parser.pyusessubprocess.check_callto executepip installcommands. This allows the skill to modify the host environment's Python packages at runtime.\n- [EXTERNAL_DOWNLOADS]: The skill automatically downloads and installs libraries from the Python Package Index (PyPI), specificallypython-calamine,xlrd, andopenpyxl, if they are not already installed on the system.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to its data processing workflow.\n - Ingestion points: The skill reads data from user-provided Excel files (
.xls,.xlsx,.xlsm, etc.) inscripts/excel_parser.py.\n - Boundary markers: Absent; there are no specific markers or instructions used to separate the extracted spreadsheet data from other agent instructions.\n
- Capability inventory: The skill possesses command execution capabilities via
subprocess.check_calland filesystem write access viaopenpyxl'swb.saveandupdatemethods inscripts/excel_parser.py.\n - Sanitization: Absent; extracted cell content is converted to strings but is not sanitized or filtered to prevent the agent from interpreting it as instructions.
Audit Metadata