docx
Warn
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script
scripts/office/soffice.pygenerates C source code at runtime and compiles it into a shared object usinggcc. The resulting library is injected into the LibreOffice environment usingLD_PRELOADto shim socket functions. This technique of runtime compilation and process injection is a high-risk pattern used to bypass environment restrictions. - [COMMAND_EXECUTION]: Multiple scripts invoke external system commands via the
subprocessmodule. Notable instances includescripts/office/soffice.py(executinggccandsoffice),scripts/accept_changes.py(executingsoffice), andscripts/office/validators/redlining.py(executinggit diff). These commands are used for document processing and validation. - [EXTERNAL_DOWNLOADS]: The markdown body of
SKILL.mdrequires the installation of thedocxlibrary from the npm registry. - [PROMPT_INJECTION]: The skill exposes an indirect prompt injection surface by unzipping and parsing user-supplied
.docxfiles. - Ingestion points:
scripts/office/unpack.pyextracts XML content from document archives. - Boundary markers: Absent; the skill does not use delimiters to isolate document content from instructions.
- Capability inventory: The skill possesses broad capabilities, including arbitrary command execution via
sofficeandgcc. - Sanitization: The skill employs
defusedxmlfor XML parsing, providing mitigation against XML external entity (XXE) vulnerabilities.
Audit Metadata