docx
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: Privilege escalation risk in
SKILL.md. The documentation instructs the AI agent to executesudo apt-get installfor dependency management, which is a high-risk practice involving administrative privileges. - [REMOTE_CODE_EXECUTION]: Insecure ZIP extraction in
ooxml/scripts/unpack.pyandooxml/scripts/validation/redlining.py. Both scripts usezipfile.ZipFile.extractall()without validating that extracted file paths are restricted to the target directory, creating a 'Zip Slip' vulnerability that allows arbitrary file writes. - [PROMPT_INJECTION]: Indirect prompt injection vulnerability surface.
- Ingestion points:
ooxml/scripts/unpack.py(extracts user-provided files) andooxml/scripts/validation/redlining.py(parses resulting XML). - Boundary markers: Absent; the agent is expected to interpret and manipulate raw XML content from untrusted files directly.
- Capability inventory: Execution of subprocesses (
soffice,git,pandoc) and filesystem writing via theXMLEditorclass. - Sanitization: Employs
defusedxmlfor document manipulation, but validation logic remains exposed to malicious XML structures. - [REMOTE_CODE_EXECUTION]: Risk of XML External Entity (XXE) attacks in validation modules. Scripts like
ooxml/scripts/validation/base.pyuselxml.etree.parse()on untrusted content without explicit configurations to disable external entity resolution. - [EXTERNAL_DOWNLOADS]: The skill suggests installing multiple external dependencies (
docx,pandoc,libreoffice,poppler-utils) via system package managers during setup.
Audit Metadata