docx
Fail
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill documentation (ooxml.md, workflow.md) contains directive language designed to override agent behavior, using markers like 'MANDATORY
- READ ENTIRE FILE' and 'NEVER set any range limits' to prevent the agent from using standard optimization techniques. The skill also lacks boundary markers for untrusted document data processed by ooxml/scripts/unpack.py and read by the agent, facilitating indirect prompt injection. Ingestion points include ooxml/scripts/unpack.py and redlining.py; capabilities include subprocess calls in pack.py and file writes in utilities.py; sanitization is performed via defusedxml in scripts/document.py.
- [COMMAND_EXECUTION]: The sub-skills/tracked-changes-workflow.md file contains instructions to install system dependencies using 'sudo apt-get install'. This encourages the agent to attempt commands requiring administrative privileges. Additionally, the Python scripts ooxml/scripts/pack.py and redlining.py utilize subprocess.run to execute external tools like LibreOffice and Git, representing a capability for command execution based on input paths.
- [EXTERNAL_DOWNLOADS]: The skill documentation references downloading standard utilities such as pandoc, libreoffice, and the docx npm package from well-known official registries.
Recommendations
- AI detected serious security threats
Audit Metadata