The Attack in Plain Terms
Prompt injection — the technique of embedding instructions inside data that an AI model will read and obey — has been a known risk since large language models started getting wired into productivity software. What PromptArmor's research demonstrates is that the risk isn't hypothetical anymore: it has a specific, widely-installed target.
The ChatGPT for Google Sheets add-on lets users call OpenAI's models directly from spreadsheet formulas. Type `=GPT(A1)` and the add-on sends the contents of cell A1 to ChatGPT and returns the result. Convenient. Also, structurally, a loaded gun sitting on the desk of anyone who opens a spreadsheet they didn't author.
How the Exfiltration Works
According to PromptArmor's writeup, an attacker plants a malicious instruction inside a cell — something the human user may never read, buried in a data row or hidden column. When the add-on processes that cell, the model interprets the embedded instruction as a legitimate command. The instruction tells the model to collect spreadsheet contents and send them to an attacker-controlled URL via a formula that triggers an outbound HTTP request.
The add-on already holds read access to the workbook — that's the whole point of the product. There's no privilege escalation required. The attacker is simply borrowing permissions the extension was granted on day one.
The victim's experience: nothing unusual. The spreadsheet processes. Results appear. Data leaves.
Why This Attack Surface Is Bigger Than One Add-On
It would be convenient to frame this as a single vendor's implementation problem. It isn't. The vulnerability class — AI assistant with document read access plus outbound network capability plus insufficient instruction-data separation — describes a large and growing category of enterprise software.
Every AI-powered document tool that can both read user content and make external calls is, in principle, susceptible to the same attack pattern. The ChatGPT for Google Sheets case is notable because the add-on is widely deployed and the attack path is clean, not because it represents some exotic edge case.
Google's add-on permission model grants extensions significant access at install time. Users who approved the add-on months ago almost certainly don't remember what they authorized, and Google's permission UI has never been famous for making the stakes legible.
Who Wins From the Current Situation
OpenAI benefits from broad distribution of its models through third-party integrations — the add-on ecosystem is a growth channel. Google benefits from AI features appearing inside Workspace without Google having to build or own them. Neither party has a strong short-term incentive to impose friction that might slow add-on adoption.
The enterprise security team that approved the add-on for a finance department's use? They're the ones holding the exposure.
PromptArmor published its findings publicly. As of this writing, there is no public patch, no CVE assignment, and no coordinated disclosure timeline visible from either Google or OpenAI. That's worth noting — not as an accusation, but as a data point about how seriously the ecosystem treats this class of vulnerability when the business model depends on frictionless AI integration.
What Organizations Should Do Now
If your organization uses ChatGPT for Google Sheets — or any AI add-on with similar capabilities — the immediate steps are straightforward if not painless: audit which users have the add-on installed, assess whether any of those users process sensitive or regulated data through it, and make a deliberate decision about whether the productivity gain justifies the current risk profile.
Longer term, the industry needs sandboxing standards for AI add-ons that enforce instruction-data separation at the model call level — preventing embedded cell content from being interpreted as system instructions. That's a solvable engineering problem. It's just not a solved one yet.