docx
Fail
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script scripts/office/soffice.py performs runtime compilation of C source code. It writes lo_socket_shim.c to the temporary directory and executes gcc to produce a shared object (.so). This library is then injected into the soffice process using the LD_PRELOAD environment variable to intercept and modify system calls.
- [COMMAND_EXECUTION]: Multiple scripts utilize subprocess.run to execute external binaries, including soffice for document conversion (scripts/accept_changes.py, scripts/office/soffice.py) and git diff for redlining validation (scripts/office/validators/redlining.py).
- [EXTERNAL_DOWNLOADS]: The skill instructions in SKILL.md advise the agent to install external software globally via npm install -g docx. While docx is a well-known library, dependencies from external registries contribute to the unverifiable code surface.
- [PROMPT_INJECTION]: The skill handles untrusted document data, creating a surface for indirect prompt injection. 1. Ingestion points: Untrusted .docx files are processed via pandoc and scripts/office/unpack.py, which extracts XML content for the agent to read. 2. Boundary markers: Absent. 3. Capability inventory: File system write access and arbitrary command execution. 4. Sanitization: Not explicitly implemented for the content of processed documents.
Recommendations
- AI detected serious security threats
Audit Metadata