docx
Warn
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple system commands to handle document conversion and comparison.
- It invokes
soffice(LibreOffice) for headless document processing and macro execution inscripts/office/soffice.pyandscripts/accept_changes.py. - It uses
git difffor generating detailed document comparisons inscripts/office/validators/redlining.py. - Instructions in
SKILL.mdsuggest the use ofpandocandpdftoppmfor content extraction and image conversion. - [DYNAMIC_EXECUTION]: The skill performs advanced runtime code manipulation to ensure compatibility in specialized environments.
- Runtime Compilation and Injection: In
scripts/office/soffice.py, the skill writes a C source string to a temporary file, compiles it usinggcc, and then uses the resulting shared object withLD_PRELOADto shim socket-related system calls for thesofficeprocess. - Macro Setup: In
scripts/accept_changes.py, the skill dynamically writes a LibreOffice StarBasic macro (AcceptAllTrackedChanges) to the user profile and executes it to process document revisions. - [SAFE]: The skill demonstrates good security practices in data handling.
- It uses the
defusedxmllibrary across several scripts (scripts/office/unpack.py,scripts/comment.py,scripts/office/validators/base.py) to mitigate XML External Entity (XXE) vulnerabilities during document parsing.
Audit Metadata