docx
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill processes untrusted .docx files and converts them to Markdown or XML for agent consumption, creating a large attack surface for malicious instructions embedded in documents. * Ingestion points: word/document.xml (via ooxml/scripts/unpack.py) and output.md (via pandoc). * Boundary markers: Absent; the agent is instructed to read document content without delimiters or warnings to ignore embedded commands. * Capability inventory: subprocess calls to pandoc, soffice, and pdftoppm, along with file writing and execution of agent-generated Python/JS scripts. * Sanitization: Uses defusedxml for XML parsing, but lacks filtering for natural language content.
- Dynamic Execution (MEDIUM): The scripts ooxml/scripts/unpack.py and ooxml/scripts/validation/docx.py use zipfile.extractall() without validating that member paths stay within the target directory. This 'Zip Slip' vulnerability allows a malicious archive to overwrite arbitrary files accessible to the agent, potentially leading to unauthorized system modification.
- Prompt Injection (LOW): The SKILL.md documentation includes strong instruction overrides such as 'NEVER set any range limits', which attempts to bypass standard agent behaviors for context management and file reading constraints.
Audit Metadata