docx
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The scripts 'ooxml/scripts/unpack.py' and 'ooxml/scripts/validation/docx.py' use 'zipfile.ZipFile.extractall()' on user-provided Office files without validating that the archive's internal paths are contained within the target directory. This allows a malicious document to overwrite arbitrary files on the system using relative path traversal (Zip Slip).
- [COMMAND_EXECUTION] (MEDIUM): The 'ooxml/scripts/pack.py' script uses 'subprocess.run' to execute the 'soffice' command. While used for document validation, executing external binaries with input-derived paths carries risks of argument injection or exploitation of the external tool's own vulnerabilities.
- [DATA_EXFILTRATION] (MEDIUM): In 'ooxml/scripts/validation/docx.py', the 'count_paragraphs_in_original' method uses 'lxml.etree.parse()' on XML files extracted directly from the original document. Unlike other parts of the skill that use 'defusedxml', this call is vulnerable to XML External Entity (XXE) attacks which could be used to read sensitive local files.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill processes complex, untrusted Office documents which can serve as vectors for indirect prompt injection. Ingestion points: 'unpack.py' extracts zip contents. Boundary markers: None. Capability inventory: Subprocess execution in 'pack.py' and arbitrary file writes in 'unpack.py'. Sanitization: Uses 'defusedxml' for some XML operations, but use is inconsistent across the codebase.
Recommendations
- AI detected serious security threats
Audit Metadata