Covers the classic CSV export attack where user input like `=cmd|'/C calc'!A0` or `@SUM(1+1)` gets written to a file, then executed when someone opens it in Excel, LibreOffice, or Google Sheets. Walks through DDE injection, obfuscation tricks with extra whitespace, and Google Sheets primitives like IMPORTXML that can phone home. The testing methodology is solid: map every export sink, trace user controlled fields into CSVs, inject benign formulas first, then match the victim's actual spreadsheet software. The defense section gives you the fix too, mostly prefixing with a single quote to force text mode. If you test anything with admin dashboards, reporting tools, or bulk exports, you'll want this loaded.
npx skills add https://github.com/yaklang/hack-skills --skill csv-formula-injection