officecli
Fail
Audited by Gen Agent Trust Hub on Jul 4, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill's primary installation method involves downloading shell scripts from unverified domains ('d.officecli.ai' and 'raw.githubusercontent.com/iOfficeAI/OfficeCLI') and piping them directly to 'bash'. This behavior is a critical risk as it allows an external source to execute arbitrary commands on the host system without verification of the script content.
- [PROMPT_INJECTION]: Automated scans detected hidden Unicode characters in 'examples/excel/charts/charts-extended.xlsx'. This steganographic technique is a high-risk vector for indirect prompt injection, where an agent reading the file could be tricked into following hidden malicious instructions. Ingestion Point: 'examples/excel/charts/charts-extended.xlsx'; Boundary Markers: Absent; Capability Inventory: shell command execution and file modification; Sanitization: Absent.
- [COMMAND_EXECUTION]: Multiple Python examples within the skill (e.g., 'examples/excel/cell-formatting.py') use 'subprocess.run' with 'shell=True'. This facilitates insecure shell command execution and increases the risk of command injection if the scripts are utilized in automated environments.
- [EXTERNAL_DOWNLOADS]: The skill performs several downloads of binaries and scripts from external domains that are not verified as trusted organizations, posing a supply chain risk.
- [DATA_EXFILTRATION]: The 'watch' command implements a local HTTP server on port 26315. Local servers can be exploited in multi-stage attacks to harvest local data or perform unauthorized requests from the local network environment.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/iOfficeAI/OfficeCLI/main/install.sh, https://d.officecli.ai/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata