Security audit

Maybeai Sheet Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is a legitimate MaybeAI spreadsheet integration, but its examples and guidance give agents powerful edit, delete, export, and sharing abilities without enough confirmation or containment.

Install only if you trust the MaybeAI service and intend to let the agent modify, export, share, and sometimes delete spreadsheet content through your MAYBEAI_API_TOKEN. Before running the bundled scripts, use test workbooks or edit the scripts to remove delete/share/export steps, and require explicit confirmation for public links, editor access, row/column/worksheet deletion, and exports of sensitive workbooks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (14)

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The documentation tells users not to use this skill as the primary path for chart authoring, but nearby examples and references still expose chart and picture APIs. This inconsistency weakens safety by making capability scoping ambiguous, which can lead to accidental invocation of higher-risk visual or embedded-object operations without deliberate user intent.

Description-Behavior Mismatch

Medium

Confidence: 81% confidence
Finding: Saying the skill excludes chart layout strategy while elsewhere advertising chart APIs creates partial-scope ambiguity. Even if this is mostly a documentation defect, it can mislead agents and reviewers about what side effects are possible, reducing the reliability of human oversight and automated policy routing.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script performs rename and delete operations automatically after upload, without any confirmation, dry-run mode, or scoping checks. In an agent skill, this is dangerous because a user expecting spreadsheet inspection or editing could trigger destructive remote file-management actions that alter or remove cloud-hosted documents.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The skill includes a generic import-by-URL capability that causes the backend service to fetch remote content based on a URL, even though the sample uses a fixed example URL. In the context of an agent skill, this broadens the attack surface for unauthorized data ingestion or server-side fetching behavior that is not necessary for ordinary spreadsheet editing workflows.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This skill supports writes, sharing, export, and external API interactions involving spreadsheet data, but it does not prominently warn that these actions can modify or disclose potentially sensitive workbook contents. In an agent setting, missing user-facing warnings materially raises the risk of unauthorized data exposure or destructive changes being carried out under routine spreadsheet-task framing.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The document includes destructive operations such as delete, copy/rename of existing files, export, and sharing/permission changes, but provides no confirmation, authorization, or least-privilege guidance. In an agent setting, this increases the risk of accidental data loss, oversharing, or privacy-impacting actions being executed on the wrong spreadsheet or without explicit user consent.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The reference gives direct instructions for making a sheet public or granting editor access without requiring any cautionary warning about privacy exposure, unintended broad access, or modification risk. In a skill that operationalizes spreadsheet sharing, this omission can lead an agent to perform high-impact access changes too casually, especially when handling sensitive business data.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The document describes removing access and listing current shares without warning that these actions can disrupt collaborators or reveal collaborator identities and emails. While these are legitimate administrative operations, the lack of cautionary framing increases the chance an agent will expose sharing metadata or revoke access without considering user impact or data minimization.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The document exposes destructive operations such as deleting rows, columns, and worksheets, but it does not consistently require explicit confirmation or a safety check before those actions. In an agent skill that can directly modify user spreadsheets, this increases the chance of accidental data loss, especially when worksheet targeting may default to the first sheet or rely on gid selection.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The document explicitly describes returning worksheet sample rows to the caller and sending compact worksheet samples to an LLM, but it does not mention any consent, redaction, sensitivity checks, or data-handling warning. In a spreadsheet workflow, sample rows can easily contain PII, financial data, secrets, or regulated business records, so silent transmission to an LLM creates a real confidentiality risk.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The export step writes a downloaded file directly to ./exported.xlsx without prompting, checking for an existing file, or using a unique temporary path. This can silently overwrite local data or leave sensitive spreadsheet contents on disk in an unexpected location.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The script issues a delete_file request against the uploaded document URI automatically and without any confirmation. In a skill context, this creates a real risk of irreversible data loss, especially because the deletion is part of the normal execution path rather than a separately gated operation.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script performs a destructive worksheet deletion automatically, with no confirmation prompt, dry-run mode, or validation that the targeted gid is the intended sheet. In an automation or copy-paste context, this increases the chance of accidental data loss, especially because the delete target is derived from a hard-coded URI suffix rather than an explicit runtime selection.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script writes a remote export directly to ./workflow1_output.xlsx without checking whether the file already exists or prompting the user. This can silently overwrite local data, which is a safety and integrity issue, especially in example scripts that users may run verbatim.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal