docx
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): ZipSlip vulnerability detected in
ooxml/scripts/unpack.py. The script useszipfile.ZipFile.extractall()to unpack Office documents without validating the target paths of zip entries. A malicious.docx,.pptx, or.xlsxfile containing filenames with directory traversal sequences (e.g.,../../target_file) could overwrite arbitrary files on the system, potentially leading to remote code execution if system scripts or configurations are targeted. - [Indirect Prompt Injection] (HIGH): The skill presents a high-risk attack surface for indirect prompt injection as it is designed to ingest and process external untrusted Office documents while possessing significant system capabilities.
- Ingestion points:
ooxml/scripts/unpack.py(extracting zip contents) andooxml/scripts/validation/docx.py(parsing document XML files). - Boundary markers: Absent; the skill does not implement delimiters or explicit instructions for the agent to ignore embedded instructions within the processed document content.
- Capability inventory: Command execution via
soffice(LibreOffice) inpack.py, and file system write capabilities in bothunpack.pyandpack.py. - Sanitization: Inconsistent; while
defusedxmlis used in some modules, the primary extraction logic remains vulnerable to ZipSlip, and the validation logic uses potentially unsafe parsers. - [Dynamic Execution] (MEDIUM): Potential XML External Entity (XXE) risk in
ooxml/scripts/validation/docx.py. The validator useslxml.etree.parseon document components without explicitly disabling external entity resolution. Whiledefusedxmlis used elsewhere in the project, the use oflxmlhere creates a vulnerability window where a malicious document could attempt to read local files or perform SSRF via crafted XML entities.
Recommendations
- AI detected serious security threats
Audit Metadata