Back to skill

Security audit

Maybeai Sheet Cli Skill

Security checks across malware telemetry and agentic risk

Overview

This spreadsheet CLI skill is not clearly malicious, but it needs review because it can use an API token to mutate and share workbooks and includes an under-scoped raw API POST path.

Install only if you trust the MaybeAI CLI package and are comfortable giving it MAYBEAI_API_TOKEN access. Before use, confirm any public sharing, editor grants, raw POST calls, workbook uploads, or metadata profiling on sensitive spreadsheets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documents capabilities that can read local files, write local files, and access network services, but it does not declare permissions or boundaries for those actions. In an agent setting, undeclared capabilities reduce transparency and can lead to unintended data access, file modification, or external exfiltration beyond what a user reasonably expects from a spreadsheet helper.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose is spreadsheet operations, but the finding indicates additional behaviors such as editing SKILL.md, reading sibling repository metadata, generating local files, and querying PyPI. Behavior outside the declared scope is dangerous because it expands the trust boundary: a user invoking spreadsheet actions may inadvertently authorize repository modification, local file creation, or outbound network access unrelated to the requested task.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documented `mbs raw post` escape hatch allows callers to send arbitrary JSON POST requests to backend spreadsheet-related endpoints outside the constrained first-class CLI surface. In an agent skill context, this weakens safety boundaries because an LLM can be induced to invoke undocumented or higher-risk state-changing operations that bypass workflow-specific validation and guardrails.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill provides commands for changing visibility and granting access, including making a workbook public, without prominent warnings about confidentiality and access control consequences. In a spreadsheet context this is especially risky because workbooks often contain sensitive business or personal data, so a casual execution of share commands can cause unintended disclosure.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The sharing examples include commands to set workbook visibility to `public` without any adjacent warning about confidentiality, discoverability, or irreversible exposure of sensitive spreadsheet contents. In a skill used by agents, this increases the risk of accidental data leakage because a model may treat the command as routine rather than privacy-impacting.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The raw HTTP escape-hatch section documents arbitrary POST operations but does not warn that such requests can mutate workbook state, execute unsafe backend actions, or bypass higher-level CLI safety expectations. In this spreadsheet skill, that omission is more dangerous because the rest of the document presents task-specific commands, making the raw interface appear equally safe despite being substantially more powerful.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The import guidance tells users to upload spreadsheets to `https://play-be.omnimcp.ai` and record remote document identifiers, but it does not warn that workbook contents leave the local environment and are transmitted to a remote service. In a file-management skill for spreadsheets, that omission can lead users to upload sensitive business or personal data without informed consent, increasing the risk of privacy, compliance, or data-handling violations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The reference explicitly instructs the agent to run commands that can make a spreadsheet public, grant editor access, or remove access, but it does not require a confirmation or warning step before changing access control. In an agent setting, this creates a real risk of unintended exposure or privilege changes if a user request is ambiguous, mistaken, or socially engineered, especially because public-editor mode can allow unauthorized modification by anyone with the link.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly says non-empty sample rows are returned to the caller and sent to an LLM, but it does not prominently warn about the resulting data disclosure risk. In a spreadsheet context, sample rows can contain sensitive business or personal data, so users may unknowingly expose workbook contents to downstream systems and caches.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.