Excel Auto Clean

Security checks across malware telemetry and agentic risk

Overview

This paid Excel-cleanup skill is not clearly malicious, but its core processing module is missing and its automatic data changes need careful review before use.

Review before installing or paying. Keep the original spreadsheet, confirm how duplicates and empty rows are identified, inspect the generated file before relying on it, and be aware that the package appears incomplete because the referenced Excel handler file is missing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The code tells the user that a new file has been saved to the desktop, which implies file creation or modification, but there is no explicit consent flow, destination confirmation, or disclosure of what files may be overwritten. In a file-processing skill, undisclosed write behavior can lead to unexpected data loss, leakage to an unintended location, or user confusion about where sensitive output is stored.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to delete rows/columns, deduplicate, sort, and save output without any requirement for preview, confirmation, backup, or explicit non-overwrite handling. In a data-processing skill, these transformations can irreversibly alter business records or discard legitimate data, making accidental data loss a realistic risk even if the save target is described as a new file.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal