xllify – Things you need to know about XLL add-ins

Things you need to know about XLL add-ins

XLL add-ins are native Windows binaries that load directly into Excel. They offer significant advantages for calculation-heavy workbooks but come with trade-offs worth understanding before running and distributing them. Concerned about XLL security? Read on. This page covers the risks honestly, including where xllify's sandbox mitigates a lot of traditional XLL risks.

Advantages

Performance. XLLs run as native code inside Excel's process with no browser layer, no JavaScript overhead, and no cross-process marshalling. They support multi-threaded recalculation (MTR), so Excel can evaluate your functions across multiple cores simultaneously. For workbooks with thousands of formula calls this makes a real difference.
No server required. An XLL is a single file. Drop it into Excel and your functions are available immediately. No web hosting, no localhost dev server, no manifest to sideload.
Sandboxed function code. Function code has no access to the network, file system, or OS. Even if a function contains a bug, it cannot interact with the system beyond returning a value to Excel.
Offline. Once installed, an XLL works without any network connection.

Things to be aware of

Windows only. XLLs are native Windows DLLs. They do not work on macOS or Excel for the web. If you need cross-platform support, use the Office Add-in build instead, or build both and check the XLL-compatible checkbox when building (coming soon).
Native code trust model. Although your Luau function code is sandboxed, the XLL runtime itself is a native binary that Excel loads into its process. Windows and Excel treat unsigned native binaries with caution. Users will see security warnings, and some organisations block unsigned DLLs entirely.
IT policies. Many corporate environments restrict which add-ins can be loaded. Check with your IT department before distributing an XLL internally.
XLL blocking and Mark of the Web. Recent versions of Excel block untrusted XLL add-ins by default. When downloaded from the internet, Windows marks the file with a Mark of the Web (MOTW) flag and Excel will refuse to load it. To unblock, right-click the file in File Explorer, choose Properties, and tick Unblock on the General tab. See Microsoft's guide for more detail.

Code signing

Code signing is something we highly recommend when distributing an XLL. A signed binary tells Windows and your users that the file comes from a known publisher and has not been tampered with. Without a signature:

Windows SmartScreen may block the file entirely.
Excel will show a security warning every time the add-in is loaded.
Group Policy and endpoint-protection tools may quarantine the file.

XLLs built by xllify are currently downloaded unsigned. You can sign them yourself using a code-signing certificate before distributing them. Microsoft's Azure Trusted Signing is a straightforward and affordable option. You can also use a traditional code-signing certificate with signtool.exe from the Windows SDK.

Built-in code signing from within xllify is on the roadmap.

The sandbox in detail

xllify compiles your function code to Luau bytecode. Luau is a language derived from Lua, designed from the ground up for safe sandboxed execution and battle-tested by Roblox across millions of developers. The xllify runtime deliberately does not expose any file-system, network, or OS APIs to the scripting environment. Your function code can perform calculations, manipulate strings and tables, and return results to Excel. Nothing more. In the future, a sensible set of opt-in entitlements such as HTTP GET will be permitted to allow-listed domains.

The xllify runtime is the same trusted, read-only binary in every build. There is no mechanism to break out of the sandbox or inject native code through xllify. Enterprise customers are encouraged to review the runtime and sandbox.

The sandboxing is not formally proven: since the Luau VM is implemented in C++, compiler or standard library vulnerabilities could in theory be exploitable. In practice these are very rare and fixed quickly. See the Luau sandbox documentation for a full discussion.