Security audit

1

Security checks across malware telemetry and agentic risk

Overview

This spreadsheet skill appears purpose-built for MaybeAI Excel workflows, but it gives broad token-powered read, upload, edit, export, and delete examples without enough safety controls.

Review before installing. Use this only if you intend to send spreadsheets to MaybeAI and allow token-authorized spreadsheet operations. Keep the bearer token private, avoid running the example scripts against production or sensitive workbooks, and use copies or test files for delete, clear, rename, append, update, import, and export workflows.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (15)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill documents executable shell usage via curl/bash scripts while declaring no explicit permissions, creating a mismatch between the skill's apparent trust boundary and its real capabilities. This can cause an agent or reviewer to underestimate that the skill can trigger networked actions and file operations through shell commands.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The add_picture operation accepts an arbitrary external picture_url, which can cause the backend service to fetch attacker-controlled URLs. That creates a server-side network access primitive and can be abused for SSRF-style access to internal services, metadata endpoints, or other unintended network targets if the API does not strictly validate destinations.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The description says to use the skill for virtually any Excel data operation, which is an overly broad invocation scope for a skill that can read, modify, delete, export, and copy files. Broad routing language increases the chance the skill is invoked in contexts where destructive or sensitive data actions were not the user's intent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill advertises destructive capabilities such as delete, rename, overwrite, worksheet removal, and bulk row/column operations without requiring confirmation or warning about irreversible changes and data loss. In an agent setting, this makes accidental or prompt-induced destructive actions materially more dangerous because the skill normalizes direct execution paths for those operations.

Missing User Warnings

Low

Confidence: 78% confidence
Finding: The setup section instructs users to copy and export a bearer token into the environment but does not warn against logging, sharing, committing, or echoing that token. Because the token grants API access to spreadsheet operations, poor handling could lead to unauthorized access, data modification, or exfiltration.

Missing User Warnings

Medium

Confidence: 72% confidence
Finding: The upload example sends a local spreadsheet to a remote third-party service, but the script gives no explicit pre-action warning, confirmation, or environment guardrail. In a skill meant for spreadsheet lifecycle management, this increases the risk of accidental exfiltration of sensitive business data because users may run the example as-is on real files.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script performs a destructive remote delete immediately with no confirmation, safety switch, or validation of the target document ID. In a file-management skill, destructive actions are expected, but omission of a confirmation step makes accidental data loss materially more likely if a user substitutes a real document ID and runs the whole script.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script performs a destructive worksheet deletion operation directly against the remote API with no confirmation prompt, dry-run mode, safeguard, or warning. In the context of a worksheet-management skill, deletion is expected functionality, but packaging it as an example script that executes automatically increases the chance of accidental data loss if run against the wrong document or environment.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script performs delete_chart and delete_picture actions immediately with hardcoded object IDs and no confirmation, dry-run mode, or safety guard. In an automation context this can lead to accidental destructive changes to user spreadsheets, especially if run against the wrong document or reused as a template.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script uploads a local spreadsheet to a third-party remote service and later retrieves processed workbook data, but provides no explicit warning, confirmation, data-classification check, or privacy guardrail before transmitting potentially sensitive spreadsheet contents. In a spreadsheet-management skill, this behavior is core functionality, but it is still a real security/privacy risk because Excel files commonly contain confidential business, financial, or personal data.

External Transmission

Medium

Category: Data Exfiltration
Content: # Step 3: Read Sheet1 echo "[3/4] Reading Sheet1 ..." curl -s -X POST "$BASE_URL/api/v1/excel/read_sheet" \ -H "Content-Type: application/json" \ -d "{\"uri\": \"$DOC_ID\", \"sheet\": \"Sheet1\"}" \ | jq .
Confidence: 79% confidence
Finding: curl -s -X POST "$BASE_URL/api/v1/excel/read_sheet" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: # Step 4: Update a range and export echo "[4/4] Updating A1:B2 and exporting ..." curl -s -X POST "$BASE_URL/api/v1/excel/update_range" \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d "{
Confidence: 81% confidence
Finding: curl -s -X POST "$BASE_URL/api/v1/excel/update_range" \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: \"values\": [[\"Product\",\"Q1\"],[\"Widget\",5000]] }" | jq . curl -s -o "./workflow1_output.xlsx" \ "$BASE_URL/api/v1/excel/export/$DOC_ID" echo "Exported to ./workflow1_output.xlsx"
Confidence: 84% confidence
Finding: curl -s -o "./workflow1_output.xlsx" \ "$BASE_URL/api/v1/excel/export/$DOC_ID" echo "Exported to ./workflow1_output.xlsx" echo "" echo "============================================================"

External Transmission

Medium

Category: Data Exfiltration
Content: echo "============================================================" echo "[1/3] Appending new rows to Sheet1 ..." curl -s -X POST "$BASE_URL/api/v1/excel/append_rows" \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d "{
Confidence: 80% confidence
Finding: curl -s -X POST "$BASE_URL/api/v1/excel/append_rows" \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: | jq . echo "[3/3] Reading updated sheet ..." curl -s -X POST "$BASE_URL/api/v1/excel/read_sheet" \ -H "Content-Type: application/json" \ -d "{\"uri\": \"$DOC_ID\", \"sheet\": \"Sheet1\"}" \ | jq .
Confidence: 79% confidence
Finding: curl -s -X POST "$BASE_URL/api/v1/excel/read_sheet" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal