docx
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): Path Traversal (Zip Slip) vulnerability. The extraction logic in
ooxml/scripts/unpack.pyandooxml/scripts/validation/docx.pyuseszipfile.ZipFile.extractall()on input Office documents without validating the internal file paths. A crafted document containing entries with traversal sequences (e.g.,../../root/.ssh/authorized_keys) can be used to overwrite files outside the intended directory.\n - Evidence:
ooxml/scripts/unpack.pyline 15:zipfile.ZipFile(input_file).extractall(output_path)\n - Evidence:
ooxml/scripts/validation/docx.pyline 164:zip_ref.extractall(temp_dir)\n- [COMMAND_EXECUTION] (MEDIUM): Theooxml/scripts/pack.pyscript executes thesoffice(LibreOffice) command viasubprocess.runto validate documents. While the command arguments are constructed using path objects, calling external system binaries with user-influenced file paths is risky and depends on the security of the external tool.\n - Evidence:
ooxml/scripts/pack.pyline 103:subprocess.run(['soffice', ...])\n- [PROMPT_INJECTION] (LOW): Indirect Prompt Injection surface. The skill ingests untrusted ZIP/XML data from Office documents which could contain malicious instructions for downstream agent steps.\n - Ingestion points:
ooxml/scripts/unpack.py(line 15) andooxml/scripts/validation/docx.py(line 164).\n - Boundary markers: None; the scripts do not use delimiters or instructions to ignore embedded content during extraction or parsing.\n
- Capability inventory: Subprocess execution (
soffice), arbitrary file-write through Zip Slip, and XML manipulation.\n - Sanitization: Uses
defusedxml.minidomto prevent XXE attacks, but does not sanitize file paths within the ZIP archives.
Recommendations
- AI detected serious security threats
Audit Metadata