Skills
skills/danielmiessler/personal_ai_infrastructure/Docx/Gen Agent Trust Hub

Docx

Fail

Audited by Gen Agent Trust Hub on Mar 16, 2026

Risk Level: HIGHDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill explicitly directs the agent to read a sensitive local configuration file located at ~/.claude/PAI/SKILL.md. This file contains private user data, including contact lists, personal preferences, and Voice IDs for service routing (e.g., ElevenLabs), exposing this sensitive information to the agent's context.\n- [REMOTE_CODE_EXECUTION]: The core functionality of the skill requires the agent to dynamically generate and execute Python scripts and JavaScript/TypeScript code (using the docx library). This dynamic execution model is a high-risk pattern that could be exploited to run arbitrary code if the agent's generation process is subverted by malicious input.\n- [COMMAND_EXECUTION]: The skill utilizes system-level commands and binaries, specifically calling soffice, pdftoppm, and pandoc via shell execution. The provided Python scripts use subprocess.run to interact with these tools, which increases the attack surface if command arguments derived from document content are not strictly validated.\n- [PROMPT_INJECTION]: The skill contains instruction overrides, such as the mandate to "NEVER set any range limits" when reading documentation files, which attempts to bypass default agent tool constraints. It also creates a significant indirect prompt injection surface through the processing of untrusted Word documents:\n
  • Ingestion points: Document content and comments are extracted into markdown and XML via pandoc and unpack.py for AI analysis.\n
  • Boundary markers: There are no explicit markers or safety instructions used to distinguish untrusted document content from the agent's system instructions.\n
  • Capability inventory: The skill has extensive capabilities, including file system access, shell command execution, and dynamic code generation.\n
  • Sanitization: While the defusedxml library provides protection against structural XML External Entity (XXE) attacks, no content-level sanitization is performed to prevent the AI from potentially obeying instructions embedded within document text.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 16, 2026, 03:45 AM