docx-contracts
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- REMOTE_CODE_EXECUTION (MEDIUM): The skill uses the docxtpl library (Jinja2) to render user-provided templates. This is a known vector for Server-Side Template Injection, allowing attackers to execute arbitrary code via malicious document fields.
- PROMPT_INJECTION (MEDIUM): The instructions 'Don't try to read it' and 'Don't read file' are highly suspicious as they command the agent to ignore the contents of processed files, effectively bypassing safety filters that might otherwise identify malicious payloads.
- COMMAND_EXECUTION (LOW): The skill executes local Python scripts and modifies the system environment via pip installation.
- DATA_EXFILTRATION (LOW): Malicious templates could use SSTI to read sensitive local data and embed it in the final document output.
- [Category 8] Indirect Prompt Injection (LOW): 1. Ingestion points: User-uploaded .docx files. 2. Boundary markers: Absent; instructions explicitly forbid inspection. 3. Capability inventory: Execution of rendering scripts with full access to the docxtpl engine. 4. Sanitization: None; raw Jinja2 tags are processed directly.
Audit Metadata