word-documents
Warn
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The tools
create_word_documentandmodify_word_documentaccept apython_codeparameter. This string is executed as Python code on the backend to manipulate document objects, which allows for arbitrary logic execution within the agent's environment. - [DYNAMIC_EXECUTION]: The skill is designed to generate and execute Python scripts at runtime using libraries such as
python-docx,matplotlib,pandas, andnumpy. This pattern of script generation and execution can be exploited if an attacker can influence the generated code. - [DATA_EXFILTRATION]: Because the skill can execute arbitrary Python code and has access to document content via
read_word_document, there is a risk that sensitive information from the workspace or document could be exfiltrated if the agent is manipulated into including malicious networking or file-system logic in thepython_codeparameter. - [INDIRECT_PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted data from external Word files.
- Ingestion points: The
read_word_documenttool inSKILL.mdreads content and comments from Word documents and provides them to the agent. - Boundary markers: The instructions do not define any boundary markers or delimiters to separate document content from agent instructions, nor do they warn the agent to ignore instructions embedded within the documents.
- Capability inventory: The agent has the capability to execute code via the
python_codeparameter increate_word_documentandmodify_word_document(SKILL.md). - Sanitization: There is no mention of sanitization, validation, or filtering of the content read from Word documents before it is processed by the agent.
Audit Metadata