docx
Fail
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/office/soffice.pydynamically generates and compiles a C shared library (lo_socket_shim.so) at runtime usinggcc. This library is then loaded into thesoffice(LibreOffice) process via theLD_PRELOADenvironment variable to intercept and modify standard system calls related to Unix domain sockets. - [COMMAND_EXECUTION]: The skill executes several powerful external command-line utilities to perform its tasks, including
gcc(for shim compilation),soffice(for document conversion and change management),git(for document diffing),pandoc(for text extraction), andpdftoppm(for image generation). - [PROMPT_INJECTION]: The skill inherently processes untrusted data by reading and manipulating user-provided Word documents (
.docx,.doc). Content extracted viapandocenters the agent's context, creating a surface for indirect prompt injection where instructions hidden within a document could attempt to influence agent behavior. While the skill correctly usesdefusedxmlfor most XML parsing, the logic inscripts/office/validators/redlining.pyandscripts/office/helpers/simplify_redlines.pyrelies on the standardxml.etree.ElementTreelibrary, which does not provide the same level of protection against XML External Entity (XXE) vulnerabilities when processing untrusted input.
Recommendations
- AI detected serious security threats
Audit Metadata