docx
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill processes external .docx files and converts them to markdown or raw XML, creating a potential surface for indirect prompt injection where malicious instructions embedded in a document could attempt to influence agent behavior.
- Ingestion points: document content is ingested via
ooxml/scripts/unpack.pyand theDocumentclass inscripts/document.py. - Boundary markers: The skill does not currently employ explicit delimiters or 'ignore instructions' warnings when presenting extracted text to the agent.
- Capability inventory: The skill has the ability to write to the local filesystem and execute system commands (e.g., pandoc, soffice).
- Sanitization: While the skill lacks NL-level sanitization, it rigorously uses
defusedxmlto sanitize the XML parsing layer, effectively mitigating technical injection attacks like XXE (XML External Entity). - [COMMAND_EXECUTION]: The skill executes several system utilities to perform document processing tasks.
- Trusted Tools: Uses
pandoc,soffice(LibreOffice),pdftoppm, andgitviasubprocess.runwith argument lists, which prevents shell injection. - Extraction: Uses
zipfile.extractallinooxml/scripts/unpack.pyto extract document contents. Whileextractallcan be sensitive to directory traversal (ZipSlip) in some environments, it is used here within the local workspace for the skill's primary purpose. - [EXTERNAL_DOWNLOADS]: The skill references several external dependencies required for its primary operations.
- Dependencies: Requires the installation of
pandoc,LibreOffice,poppler-utils, and thedocxNPM package. These are well-known, industry-standard tools and are treated as safe, trusted sources.
Audit Metadata