officecli-xlsx
Fail
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill's setup instructions utilize piped remote execution for installation. On macOS and Linux, it pipes a script from GitHub directly into bash:
curl -fsSL https://raw.githubusercontent.com/iOfficeAI/OfficeCLI/main/install.sh | bash. On Windows, it usesInvoke-Expression(iex) to execute a remote PowerShell script:irm https://raw.githubusercontent.com/iOfficeAI/OfficeCLI/main/install.ps1 | iex. - [EXTERNAL_DOWNLOADS]: To function, the skill requires downloading and installing an external CLI utility ('officecli') from the author's GitHub repository.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from external sources.
- Ingestion points: File data is read into the agent's context using
officecli viewandofficecli getinSKILL.mdandediting.md. - Boundary markers: The instructions lack delimiters or warnings to ignore instructions found within the spreadsheet data.
- Capability inventory: The skill has the ability to execute shell commands (
officecli) and modify the local file system (creating and editing workbooks). - Sanitization: There is no evidence of sanitization or filtering applied to the content extracted from
.xlsxor.csvfiles before it is processed by the agent. - [COMMAND_EXECUTION]: The skill relies on executing a local CLI tool to perform spreadsheet operations. This includes the
raw-setcommand which allows the agent to inject arbitrary XML into the workbook structure using XPath selectors, providing high-privilege access to the file's internal XML components.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/iOfficeAI/OfficeCLI/main/install.sh - DO NOT USE without thorough review
Audit Metadata