Back to skill

Security audit

Cn Excel Formula

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Excel formula helper with an optional OpenAI-powered mode, and no evidence of hidden persistence, destructive behavior, or credential misuse.

Install only if you are comfortable using an optional OpenAI-backed mode. Avoid passing confidential spreadsheet details with --ai unless your OpenAI account and data handling policy allow it; without --ai, the script uses local template matching.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as a local Excel formula helper, but when --ai is enabled it can transmit the user's natural-language request to OpenAI. That creates a real data disclosure risk because spreadsheet requests may contain sensitive business data, yet the code provides no clear disclosure, consent flow, or boundary on what may be sent externally.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code sends the user's free-form description to an external AI service without any explicit warning in output, comments, or CLI UX at the moment of transmission. Because these descriptions can include confidential formulas, identifiers, or business context, silent forwarding creates a meaningful privacy and compliance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.