docx
Warn
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Runtime code compilation and process injection.
- File: scripts/office/soffice.py
- Description: The script defines a C source string, writes it to a temporary file, and compiles it into a shared library using gcc. This library is then injected into the LibreOffice (soffice) process via the LD_PRELOAD environment variable.
- Context: This technique shims UNIX socket operations to bypass restrictions that may exist in sandboxed execution environments, allowing the agent to perform document conversions.
- [COMMAND_EXECUTION]: Execution of system tools and StarBasic macros.
- Files: scripts/accept_changes.py, scripts/office/soffice.py, scripts/office/validators/redlining.py
- Description: The skill uses Python's subprocess module to execute system commands including soffice, pandoc, pdftoppm, and git diff. Notably, scripts/accept_changes.py executes internal StarBasic macros within LibreOffice to programmatically accept tracked changes.
- [EXTERNAL_DOWNLOADS]: Prerequisite installation of system software.
- File: SKILL.md
- Description: The skill instructs users to install several external dependencies including pandoc, poppler-utils, LibreOffice, and the global Node.js package docx.
- [PROMPT_INJECTION]: Indirect prompt injection attack surface.
- Ingestion points: scripts/office/unpack.py extracts XML content from ZIP-compressed Office files (.docx, .pptx, .xlsx).
- Boundary markers: Absent; the skill modifies XML structures directly without using clear delimiters to separate untrusted data from agent instructions.
- Capability inventory: Shell command execution via subprocess, macro execution, and file system modification.
- Sanitization: Employs the defusedxml library to mitigate XML-based vulnerabilities like entity expansion (Billion Laughs).
Audit Metadata