Summary
Covers the classic CSV export attack where user input like `=cmd|'/C calc'!A0` or `@SUM(1+1)` gets written to a file, then executed when someone opens it in Excel, LibreOffice, or Google Sheets. Walks through DDE injection, obfuscation tricks with extra whitespace, and Google Sheets primitives like IMPORTXML that can phone home. The testing methodology is solid: map every export sink, trace user controlled fields into CSVs, inject benign formulas first, then match the victim's actual spreadsheet software. The defense section gives you the fix too, mostly prefixing with a single quote to force text mode. If you test anything with admin dashboards, reporting tools, or bulk exports, you'll want this loaded.
Install to Claude Code
npx -y skills add yaklang/hack-skills --skill csv-formula-injection --agent claude-codeInstalls into .claude/skills of the current project.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
Files
SKILL.md
Select a file.
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →First SeenMay 16, 2026
