PromptArmor says ChatGPT for Google Sheets can exfiltrate entire workbooks via a single prompt injection

Why it matters

Agentic AI inside office suites changes the blast radius. PromptArmor says a single injected cell can push the Sheets add-on to run privileged scripts and raid linked workbooks, even with approvals on. If accurate, this is a governance and permissions problem as much as a prompt problem, and it will push buyers to demand clearer scopes, admin controls, and monitoring for AI extensions.

PromptArmor published a step-by-step attack chain showing how OpenAI's ChatGPT for Google Sheets extension can be manipulated by an indirect prompt injection to run attacker-controlled scripts and siphon data from multiple workbooks across a user's account in a threat post. The team says the attack can also replace the sidebar UI with an attacker chatbot, pop a phishing overlay, and make unauthorized edits.

PromptArmor positions itself as an enterprise AI risk platform for TPRM, InfoSec, GRC, Privacy, and Security Assurance teams, with monitoring mapped to frameworks like OWASP for LLM Top 10, NIST AI RMF, and MITRE Atlas. On its site, the company says it protects over 2 trillion dollars in customer market cap and has published prior research on indirect prompt injection in widely used AI features on its homepage.

What PromptArmor found

According to the post, OpenAI recently launched the Sheets add-on and it has accumulated over 185,000 downloads in less than a month. The extension runs a chatbot in a sidebar that can operate on spreadsheet data and pull from ChatGPT connectors. PromptArmor says a single benign user request can trigger a cascade if any imported or connected data contains a hidden prompt injection:

• ChatGPT for Google Sheets is induced to execute an external attacker script using the permissions the user granted the extension.
• That script exfiltrates the current model and enumerates links to additional workbooks, then repeats the process across the account.
• The sidebar can be overwritten with an attacker-controlled chatbot and an interactive phishing pop-up can be displayed.

PromptArmor adds that this works even when the user has disabled automatic edits and required human-in-the-loop approval, because the external script runs with the extension's privileges outside that approval flow. The post argues that OpenAI's public documentation for the Sheets and Excel extensions emphasizes functional limits and data handling but does not call out privileged scripting capability or manipulation risks from indirect prompt injection.

Disclosure and open questions

PromptArmor says it filed a responsible disclosure with OpenAI and received only an automated acknowledgement despite multiple follow-ups. The company published the write-up to help enterprises assess the risk surface while awaiting any official guidance or updates. OpenAI's help article for the Sheets and Excel extensions is linked in the post, but it does not address the specific exploit path described.

For operators rolling out generative assistants inside productivity suites, the report highlights a familiar tension: product teams want agentic helpers that can take actions across documents and connectors, while security teams need clear scoping, admin controls, and guardrails against untrusted data. PromptArmor's broader pitch is that this is exactly where continuous monitoring of AI assets and permissions matters.

If your org has piloted or deployed the ChatGPT for Google Sheets extension, the post is worth a careful read. At minimum, review connector usage, imported data sources that could carry malicious instructions, and the OAuth scopes granted to third-party add-ons. The specifics here come from PromptArmor's testing; there is no separate acknowledgement from OpenAI in the materials we reviewed.