word
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (SAFE): The skill executes external CLI tools such as soffice, pdftoppm, and pandoc via subprocess.run. This is consistent with its stated purpose of document conversion and visual rendering. Commands are constructed using path strings for input and output, which effectively limits the potential for arbitrary command injection.
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection when processing untrusted Word documents. 1. Ingestion points: Text and structure are extracted from DOCX files via scripts like render_docx.py and tools like pandoc. 2. Boundary markers: The SKILL.md instructions do not provide delimiters or warnings to help the agent distinguish between document content and its own operational instructions. 3. Capability inventory: The skill has access to the local filesystem and can execute external conversion utilities, providing a significant impact surface. 4. Sanitization: There is no evidence of sanitization or safety filtering for the content extracted from processed documents.
- [XML_PROCESSING] (LOW): There is a security inconsistency in how XML is handled across the skill. While the pack/unpack scripts correctly utilize defusedxml to prevent XML External Entity (XXE) attacks, scripts/render_docx.py uses the standard xml.etree.ElementTree and references/ooxml/scripts/validation/docx.py uses lxml.etree without explicit XXE protections. This introduces a risk of information disclosure if a malicious DOCX container is processed.
Audit Metadata