office
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (MEDIUM): The workflow defined in
agents/office-docs.mdinstructs the agent to create temporary TypeScript files by interpolating user-provided data into templates and then executing them usingnpx tsx. This design allows for potential code injection if a user provides input crafted to escape string literals in the generated script. - [COMMAND_EXECUTION] (LOW): The
scripts/verify-deps.shscript and the agent's instructions automate the execution of shell commands for package management (npm install) and environment checks. - [PROMPT_INJECTION] (LOW): The agent instructions in
agents/office-docs.mdinclude directives to 'Execute silently' and 'don't show the code', which intentionally reduces transparency and prevents the user from verifying the safety of the code generated and executed on their behalf. - [Indirect Prompt Injection] (LOW): 1. Ingestion points: User-provided content for documents enters the system through natural language requests. 2. Boundary markers: Absent; there are no instructions for the agent to use delimiters or ignore instructions embedded in user data. 3. Capability inventory: The agent has
Bash,Write, andEdittools, along with the ability to execute code vianpx. 4. Sanitization: Absent; the templates do not include logic for escaping or validating external input before it is written to an executable.tsfile.
Audit Metadata