Excel

Security checks across malware telemetry and agentic risk

Overview

This is a simple Excel helper skill with broad activation keywords and write capability, but no hidden code, persistence, credential access, or data-sharing behavior was found.

Reasonable to install for spreadsheet tasks. Because it can write Excel files and may trigger on generic spreadsheet terms, use copies of important workbooks and make sure edits are intentional before asking it to modify data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger list includes very generic terms like "Excel", "excel", "表格", "csv", and "xlsx", which can cause this skill to activate for broad, ordinary spreadsheet-related requests rather than only explicit requests for this specific capability. That increases the chance of unintended invocation, causing the agent to access or modify spreadsheet data when the user did not clearly intend to use this skill.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill states it can read and write Excel files but does not warn users that their files may be modified, overwritten, or saved back with changes. In a data-processing context, silent write capability is risky because users may expect analysis only, while the skill could alter important business data or formulas.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal