docx
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: Use of insecure XML parsers ('lxml.etree.parse' and 'xml.etree.ElementTree.parse') in secondary validation scripts ('ooxml/scripts/validation/base.py' and 'ooxml/scripts/validation/redlining.py') on untrusted content extracted from user-provided Office documents creates a risk of XML External Entity (XXE) attacks, which could be leveraged to read sensitive local files.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection from processed '.docx' files. Ingestion points include text extraction via 'pandoc' and raw XML unpacking in 'ooxml/scripts/unpack.py'. Boundary markers are absent in the provided scripts. The capability inventory includes file system writes via 'document.py' and subprocess execution ('soffice', 'git'). While the primary workflow uses 'defusedxml' for sanitization, the agent may still obey instructions embedded in document text.
- [COMMAND_EXECUTION]: The skill executes external binaries 'soffice' (LibreOffice) and 'git' via 'subprocess.run' in 'ooxml/scripts/pack.py' and 'ooxml/scripts/validation/redlining.py' for document validation and diffing. While these operations are tied to the skill's primary purpose, they operate on user-controlled file paths and contents.
- [EXTERNAL_DOWNLOADS]: Instructions in 'SKILL.md' direct the user to install multiple external dependencies from public repositories and package managers, including 'pandoc', the 'docx' npm package, 'LibreOffice', and 'Poppler'.
Audit Metadata