docx

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill unpacks and reads arbitrary user-supplied .docx files (e.g., via docx/ooxml/scripts/unpack.py and pandoc conversion steps like "pandoc --track-changes=all path-to-file.docx -o current.md", and by directly accessing word/document.xml with get_node), so it ingests untrusted user-generated document content that the agent is expected to read and interpret.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The prompt explicitly instructs installing system packages (e.g., "sudo apt-get install pandoc", "sudo apt-get install libreoffice", global npm installs) and other system-level dependency changes that require elevated privileges and can modify the machine state, even though it doesn't instruct creating users or bypassing security mechanisms.