docx
Fail
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Dynamic Execution (HIGH): The script 'scripts/office/soffice.py' contains a mechanism to compile an embedded C source string into a shared object using 'gcc' at runtime. The resulting library is then injected into the 'soffice' process via the 'LD_PRELOAD' environment variable to intercept and modify system calls. This is a high-severity finding involving process hijacking.
- Command Execution (MEDIUM): The skill utilizes 'subprocess.run' to execute various system utilities including 'soffice', 'gcc', and 'git'. Specifically, 'scripts/accept_changes.py' generates and executes LibreOffice Basic macros, which can be exploited by malicious document content.
- Indirect Prompt Injection (LOW): The skill ingests and processes untrusted ZIP-based Office documents (DOCX, PPTX). 1. Ingestion points: 'scripts/office/unpack.py' and 'scripts/office/validators/redlining.py' extract XML content from external files. 2. Boundary markers: No clear delimiters or instructions are provided to the agent to ignore potentially malicious instructions inside the documents. 3. Capability inventory: 'subprocess.run' calls to 'soffice', 'gcc', and 'git'. 4. Sanitization: The skill uses 'defusedxml' to mitigate XML-based attacks like XXE, but does not sanitize the extracted text content against prompt injection.
Recommendations
- AI detected serious security threats
Audit Metadata