docx
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: In
scripts/office/soffice.py, the skill implements a mechanism to bypass socket restrictions by writing C source code to a temporary file, compiling it into a shared object usinggcc, and then using theLD_PRELOADenvironment variable to inject this library into thesofficeprocess. - [COMMAND_EXECUTION]: The skill extensively uses
subprocess.runto execute various system commands, includinggccfor compilation,sofficefor document conversion,pandocfor text extraction, andpdftoppmfor image generation. It also writes and executes LibreOffice macros at runtime inscripts/accept_changes.py. - [EXTERNAL_DOWNLOADS]: The skill depends on external software packages including
pandoc,docx(Node.js package via npm),LibreOffice, andPoppler. These tools are retrieved from trusted repositories and organizations. - [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection.
- Ingestion points: Content enters the agent context from external
.docxfiles processed by the skill. - Boundary markers: No delimiters or specific ignore-embedded-instruction warnings are used for document content interpolation.
- Capability inventory: Significant capabilities including system command execution, file system writes, and code injection are available across the skill's scripts.
- Sanitization: XML parsing is secured via the
defusedxmllibrary to prevent XXE attacks, but no logical content-level sanitization is performed on the parsed document text.
Audit Metadata