docx
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
- Dynamic Execution (HIGH): The file
scripts/office/soffice.pycontains a hardcoded C source string that is written to a temporary file and compiled usinggccat runtime. The resulting shared object is then injected into thesoffice(LibreOffice) binary using theLD_PRELOADenvironment variable. This technique allows the skill to override system-level socket calls but also bypasses standard security controls. - Command Execution (MEDIUM): The skill frequently invokes external binaries via
subprocess.run. This includes callinggccfor the shim compilation andsofficefor processing document changes inscripts/accept_changes.pyandscripts/office/soffice.py. - Command Execution (LOW): The validation utility in
scripts/office/validators/redlining.pyexecutes thegitbinary to generate word-level diffs when comparing document content. - Indirect Prompt Injection (LOW): The skill is designed to process external, untrusted document files which constitutes an attack surface. \n
- Ingestion points:
scripts/office/unpack.pyextracts XML content from.docx,.pptx, and.xlsxfiles. \n - Boundary markers: Absent; the skill processes document XML structure without explicit delimiters or instructions to ignore embedded content. \n
- Capability inventory: The skill can execute shell commands, compile C code, write to the filesystem, and manipulate document metadata. \n
- Sanitization: The skill correctly employs
defusedxmlto mitigate XML External Entity (XXE) attacks, but it does not sanitize the logical text content of the documents for potentially malicious agent instructions.
Recommendations
- AI detected serious security threats
Audit Metadata