docx
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill utilizes runtime compilation and process injection. The script scripts/office/soffice.py contains an embedded C source string that is compiled via gcc into a shared library and loaded into the soffice process using the LD_PRELOAD environment variable. Additionally, scripts/accept_changes.py writes and executes StarBasic macros to automate LibreOffice tasks.
- [COMMAND_EXECUTION]: The skill frequently executes external system utilities using the subprocess module. This includes calls to gcc, soffice (LibreOffice), pandoc, pdftoppm, and git for document conversion, processing, and validation.
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of external dependencies, specifically the docx library from the NPM registry as indicated in the documentation.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its processing of untrusted Word documents. 1. Ingestion points: Untrusted .docx files are unpacked and read via scripts/office/unpack.py and pandoc. 2. Boundary markers: No markers or ignore instructions are present to prevent the agent from executing instructions found in the document text or XML structure. 3. Capability inventory: The skill has extensive system capabilities, including command execution, file writing, and code injection. 4. Sanitization: Although the skill uses defusedxml to mitigate XML External Entity (XXE) attacks, it does not perform sanitization of natural language instructions that may be embedded in the files.
Audit Metadata