docx
Fail
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: Runtime compilation and process injection.
- File:
scripts/office/soffice.py - Evidence: The script contains hardcoded C source code in the
_SHIM_SOURCEvariable. At runtime, it writes this source to a temporary file, compiles it usinggcc -shared -fPIC, and then injects the resulting shared object into thesofficeprocess via theLD_PRELOADenvironment variable. This shims standard library functions (socket, listen, accept, etc.) to handle restricted socket environments. This is a highly privileged execution pattern. - [COMMAND_EXECUTION]: Arbitrary execution of external binaries.
- Files:
scripts/accept_changes.py,scripts/office/soffice.py,scripts/office/validators/redlining.py - Evidence: The skill makes extensive use of
subprocess.runto invoke external system tools includingsoffice,gcc,git, andpandoc. Arguments to these commands include file paths and configuration flags derived from task input. - [PROMPT_INJECTION]: Indirect prompt injection surface.
- Files:
scripts/office/unpack.py,scripts/office/validators/redlining.py - Ingestion points: Document content enters the agent context through the unpacking and redlining validation processes.
- Boundary markers: Absent. No delimiters or instructions are provided to the agent to disregard embedded instructions within document XML.
- Capability inventory: The skill has read/write file system access and can execute multiple external processes.
- Sanitization: Uses
defusedxmlto mitigate XXE attacks during parsing, but does not sanitize extracted natural language content before processing. - [EXTERNAL_DOWNLOADS]: Recommendation for global package installation from public registries.
- Evidence:
SKILL.mdinstructs the user to runnpm install -g docxto enable document generation capabilities.
Recommendations
- AI detected serious security threats
Audit Metadata