xlsx
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill processes untrusted external data (Excel files) and possesses both file-write and command-execution capabilities.
- Ingestion points: The
filenameargument inrecalc.pyallows the agent to process any Excel file provided by a user or external source. - Boundary markers: There are no delimiters or instructions to the agent to ignore embedded macros or malicious content within the spreadsheet.
- Capability inventory: The script executes
subprocess.run(['soffice', ...])to launch LibreOffice and uses the macro to callThisComponent.store(), which writes changes back to the disk. - Sanitization: No validation or sanitization is performed on the Excel content before it is processed by the office suite.
- Dynamic Execution (MEDIUM): The script
recalc.pydynamically generates a LibreOffice Basic macro (Module1.xba) and writes it to the user's application configuration directory (~/.config/libreoffice/or~/Library/Application Support/LibreOffice/) before triggering its execution. - Command Execution (MEDIUM): The skill spawns external processes including
soffice,timeout, andgtimeout. While it uses list-based arguments forsubprocess.run, it relies on the presence and security of system-level binaries to handle untrusted file inputs. - Persistence Mechanisms (MEDIUM): By writing a macro to the standard LibreOffice configuration path, the skill creates a persistent executable artifact on the host system that remains after the specific task is completed.
Recommendations
- AI detected serious security threats
Audit Metadata