docx
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script
scripts/office/soffice.pycontains embedded C source code that is written to a temporary file and compiled at runtime usinggcc. The resulting shared object is then loaded into the environment via theLD_PRELOADenvironment variable. While this is used to provide a compatibility layer for socket operations in restricted environments, it involves dynamic code generation and process injection techniques that are high-risk. - [COMMAND_EXECUTION]: Multiple scripts, including
accept_changes.py,pack.py,unpack.py, andvalidate.py, use thesubprocessmodule to execute external binaries such assoffice,pandoc,git, andgcc. This broad capability surface allows the skill to interact deeply with the host system. - [PROMPT_INJECTION]: The skill processes untrusted document content from
.docxfiles throughunpack.pyandpandoc. There are no explicit boundary markers or instructions provided to the agent to treat the ingested document text as untrusted data, which creates a surface for indirect prompt injection attacks where a malicious document could influence the agent's behavior. - [EXTERNAL_DOWNLOADS]: The
SKILL.mdfile instructs the agent to install external dependencies including thedocxNode.js library and system tools likepandoc,LibreOffice, andPopplerutilities. These are necessary for the skill's primary functionality but involve downloading and installing third-party software.
Audit Metadata