docx
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Command Execution (HIGH): Path Traversal (Zip Slip) vulnerability in 'ooxml/scripts/unpack.py'.\n
- The script uses
zipfile.ZipFile(input_file).extractall(output_path)(line 15) without validating zip member paths. A maliciously crafted document could contain file paths with '../' segments, allowing an attacker to write or overwrite files outside the intended output directory, potentially leading to system compromise or persistence mechanisms.\n- Command Execution (MEDIUM): Untrusted data passed to external binary 'soffice' in 'ooxml/scripts/pack.py'.\n - The
validate_documentfunction (line 103) executessoffice(LibreOffice) on user-provided files to perform conversion. Using a complex office suite to process untrusted documents is a known risk for code execution if the suite contains vulnerabilities or if document macros are enabled.\n- Indirect Prompt Injection (HIGH): Substantial attack surface through the processing of untrusted OOXML data.\n - Ingestion points: Document extraction and XML parsing in 'ooxml/scripts/unpack.py' and 'ooxml/scripts/validation/docx.py'.\n
- Boundary markers: Absent. No delimiters or instructions are used to separate document content from the agent's logic.\n
- Capability inventory: File system write access via 'zipfile' and 'Path.write_bytes'; subprocess execution via 'soffice' in 'pack.py'; XML parsing and modification via 'lxml'.\n
- Sanitization: Partial. While 'defusedxml' is used to mitigate XXE attacks, there is no validation of the document structure or content to prevent malicious instructions from influencing the agent's behavior during the document processing cycle.
Recommendations
- AI detected serious security threats
Audit Metadata