docx
Fail
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/office/soffice.pyperforms runtime compilation and library injection. It writes a C source string to a temporary file, compiles it usinggccinto a shared library (lo_socket_shim.so), and injects it into thesofficeprocess using theLD_PRELOADenvironment variable. This technique is used to intercept and redirect system socket calls at a low level, which is a high-risk dynamic execution behavior. - [COMMAND_EXECUTION]: The skill uses
subprocess.runto execute multiple external command-line binaries, includingpandoc,soffice,pdftoppm,gcc, andgit. While these are utilized for document conversion and processing, the capability to execute system commands is a sensitive vector that requires containment. - [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
docxlibrary from the npm registry, as specified in the configuration steps withinSKILL.md. This is an external dependency from a well-known package registry. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8).
- Ingestion points: The skill processes external content from
.docxfiles throughpandoctext extraction and XML unpacking (SKILL.md, scripts/office/unpack.py). - Boundary markers: Absent. There are no delimiters or specific instructions to the agent to ignore or isolate embedded commands found within the document content.
- Capability inventory: The skill possesses extensive system capabilities, including arbitrary subprocess execution, file system writes, and runtime code compilation (scripts/office/soffice.py, scripts/accept_changes.py).
- Sanitization: While the skill uses
defusedxmlto mitigate XML-based attacks during parsing, it does not sanitize the natural language content extracted for agent processing.
Recommendations
- AI detected serious security threats
Audit Metadata