docx
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The script
ooxml/scripts/unpack.pyis vulnerable to Path Traversal (Zip Slip). It useszipfile.ZipFile(input_file).extractall(output_path)on a user-provided Office file. A maliciously crafted ZIP/OOXML file containing filenames with../sequences can write files to arbitrary locations on the agent's filesystem. - DATA_EXFILTRATION (MEDIUM): The validator in
ooxml/scripts/validation/docx.pyuseslxml.etree.parse()to process XML files extracted from user-supplied documents. By default,lxmlis vulnerable to XML External Entity (XXE) attacks if entity resolution is not explicitly disabled, which can lead to local file disclosure or server-side request forgery (SSRF). - PROMPT_INJECTION (LOW): Indirect Prompt Injection surface detected. The skill's primary function is to ingest and process untrusted document data.
- Ingestion points:
ooxml/scripts/unpack.py(extracts user-supplied .docx, .pptx, or .xlsx files). - Boundary markers: Absent. The skill parses raw XML content without delimiters or warnings to the LLM about untrusted content.
- Capability inventory:
subprocess.run(executingsoffice), file writing (repacking), and directory manipulation. - Sanitization: While
defusedxmlis used in some scripts (pack.py,unpack.py), the validation logic indocx.pyuses standardlxmland the extraction logic is unhardened. - COMMAND_EXECUTION (LOW):
ooxml/scripts/pack.pyusessubprocess.runto call an external binary (soffice). While the call uses a list format which prevents simple shell injection, it relies on the presence of external system dependencies and processes files generated by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata