docx
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/office/soffice.pyperforms runtime compilation of hardcoded C source code usinggcc. The resulting shared library is then injected into thesofficeprocess via theLD_PRELOADenvironment variable to intercept and redirect UNIX domain socket calls, bypassing environment-specific restrictions.\n- [COMMAND_EXECUTION]: The scriptscripts/accept_changes.pydynamically creates a LibreOffice StarBasic macro and installs it into a temporary user profile. This macro is subsequently executed bysofficeto automate document processing tasks.\n- [COMMAND_EXECUTION]: Several components, includingscripts/office/soffice.py,scripts/accept_changes.py, andooxml/scripts/pack.py, utilize thesubprocessmodule to execute external binaries such asgccandsoffice.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its processing of untrusted OOXML data from Word documents.\n - Ingestion points: The
Documentlibrary inscripts/document.pyand theunpackutility inscripts/office/unpack.pyread and parse XML data from external files.\n - Boundary markers: The skill does not employ delimiters or explicit instructions to ignore embedded commands within the parsed content.\n
- Capability inventory: The skill has extensive filesystem access and the ability to execute shell commands and compile code, which increases the potential impact of successful injection.\n
- Sanitization: Although the implementation uses
defusedxmlto mitigate XXE vulnerabilities, the document content itself is not sanitized against instructional text before being processed by the agent.\n- [EXTERNAL_DOWNLOADS]: The skill documentation (docx-js.mdandSKILL.md) references the requirement for the external Node.js packagedocx, suggesting installation vianpm install -g docx.
Audit Metadata