docx
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The script
ooxml/scripts/unpack.pyis vulnerable to a Zip Slip attack when processing Office documents. - Evidence: The code uses
zipfile.ZipFile(input_file).extractall(output_path)without verifying that the filenames within the ZIP archive are safe. A malicious.docxor.pptxfile could contain entries like../../../../tmp/malicious.sh, which would be written outside the intended directory upon extraction. - COMMAND_EXECUTION (MEDIUM): The script
ooxml/scripts/pack.pyinvokes the system binarysoffice(LibreOffice) to perform document validation. - Evidence:
subprocess.run(["soffice", "--headless", "--convert-to", ...])is called on user-provided document paths. While the arguments are passed as a list to prevent shell injection, executing a complex office suite on untrusted files exposes the system to any vulnerabilities present in LibreOffice's parsers. - PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection due to how it handles external document data (Category 8).
- Ingestion points:
ooxml/scripts/unpack.pyextracts XML content from untrusted.docx,.pptx, and.xlsxfiles. - Boundary markers: Absent. The extracted XML and text are processed without delimiters or instructions to the agent to ignore embedded commands.
- Capability inventory: The skill possesses the ability to execute system commands (
soffice), write to the filesystem (zipfile), and modify XML structures. - Sanitization: While
defusedxmlis correctly used to prevent XML External Entity (XXE) attacks, there is no sanitization of the actual text content to prevent the agent from following instructions found inside a document.
Recommendations
- AI detected serious security threats
Audit Metadata