The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The recalc_via_libreoffice function in scripts/recalc_bridge.py is vulnerable to macro injection. It constructs a LibreOffice Basic macro by performing a simple string replacement of the {file_path} placeholder with a user-provided filename. A filename containing characters like ") : Shell("calc.exe") : rem could allow an attacker to escape the ConvertToURL call and execute arbitrary shell commands with the user's permissions when the macro is executed by the soffice binary.
[COMMAND_EXECUTION]: scripts/recalc_bridge.py uses subprocess.run to execute soffice and other local scripts. It specifically attempts to locate and run recalc.py from a different skill's directory (~/.claude/skills/xlsx/scripts/recalc.py), which introduces risk if that external script is compromised or malicious. It also invokes the soffice binary to execute the generated macros.
[EXTERNAL_DOWNLOADS]: The skill uses uv run to manage its environment, which involves automatically downloading and installing the openpyxl package from PyPI at runtime based on the PEP 723 inline metadata.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) through the processing of untrusted Excel files:
Ingestion points: scripts/idfa_ops.py (reads Named Range values/formulas) and scripts/idfa_audit.py (reads formulas/comments).
Boundary markers: None. Spreadsheet data is returned directly to the agent context without delimiters or warnings.
Capability inventory: Subprocess and macro execution in recalc_bridge.py and file writing in idfa_ops.py.
Sanitization: There is no escaping or validation of data retrieved from cell formulas or comments before it is returned to the agent as JSON.

idfa-ops