Skills
skills/sbroenne/mcp-server-excel/excel-mcp/Gen Agent Trust Hub

excel-mcp

Warn

Audited by Gen Agent Trust Hub on Apr 30, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill supports the execution of dynamic Power Query (M) and DAX code through the evaluate actions in the powerquery and datamodel tools. This capability allows the agent to run arbitrary scripts within the Excel environment. Power Query (M) specifically includes functions for external network access (e.g., Web.Contents), which could be misused to transmit data if the agent is influenced by malicious instructions.
  • [DATA_EXFILTRATION]: Documentation in references/powerquery.md and references/datamodel.md states that code snippets are automatically sent to external APIs (powerqueryformatter.com and Dax.Formatter by SQLBI) for formatting. This represents an automated external data flow of user-supplied logic to non-whitelisted third-party domains.
  • [PROMPT_INJECTION]: The skill instructions in SKILL.md and references/behavioral-rules.md explicitly direct the agent to "NEVER Ask Clarifying Questions" and "Execute tasks immediately without asking for confirmation." These instructions override standard AI safety guidelines and conversational protocols, effectively suppressing user verification and oversight of the agent's actions.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests data from external workbooks and possesses high-privilege capabilities without appropriate safeguards. The agent is instructed to read cell and table values but lacks guidance on using boundary markers or treating such content as untrusted. Malicious content within a spreadsheet could potentially hijack the agent's turn to execute unauthorized operations.
  • Ingestion points: Cell and table data retrieved through range(get-values), table(get-data), and powerquery(evaluate) operations as described in SKILL.md and related reference files.
  • Boundary markers: No delimiters or instructions to ignore embedded instructions are present in the skill definition.
  • Capability inventory: 227 operations including file writing, window management (references/window.md), and visual screenshot capture (references/screenshot.md).
  • Sanitization: No validation or sanitization rules are provided for handling data read from external Excel files.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 30, 2026, 07:08 AM