docx
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/office/soffice.pydynamically generates a C source file in the temporary directory and executesgccviasubprocess.runto compile it into a shared object (lo_socket_shim.so). - [COMMAND_EXECUTION]: The skill uses the
LD_PRELOADenvironment variable to inject the dynamically compiled shared library into thesoffice(LibreOffice) process to shim system socket calls. - [COMMAND_EXECUTION]: Multiple scripts (
scripts/accept_changes.py,scripts/office/soffice.py) usesubprocess.runto execute external binaries includingsoffice,pandoc,pdftoppm, andgitto process documents. - [PROMPT_INJECTION]: The skill represents a surface for indirect prompt injection (Category 8). It ingests untrusted data from
.docxfiles which are processed by tools likepandocand then provided to the agent. - Ingestion points:
scripts/office/unpack.pyandSKILL.md(via pandoc instructions). - Boundary markers: Absent in the provided scripts; the skill relies on the agent's ability to distinguish instructions from document content.
- Capability inventory: Subprocess execution of
soffice,pandoc,pdftoppm, andgcc; arbitrary file read/write within the workspace. - Sanitization: The skill uses
defusedxmlto mitigate XML-based attacks (XXE), but does not sanitize the text content for natural language instructions.
Audit Metadata