docx
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute system-level installation commands using 'sudo apt-get install' for utilities like pandoc, libreoffice, and poppler-utils. Use of 'sudo' for setup tasks is a high-risk privilege escalation vector.- [EXTERNAL_DOWNLOADS]: The skill directs the agent to download and install external software via 'npm install -g docx', 'pip install defusedxml', and system package managers, which introduces unverifiable third-party code into the environment.- [PROMPT_INJECTION]: The skill includes 'MANDATORY' directives that explicitly command the agent to 'NEVER set any range limits' when reading specific files. This is a direct attempt to bypass the agent's internal safety filters or resource-management constraints regarding large file handling.- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface because it processes untrusted user-provided .docx files. Content extracted from these files (via pandoc or XML parsing) is used to drive agent logic and script generation. (1) Ingestion points: word/document.xml extracted from user-supplied .docx files. (2) Boundary markers: None specified to differentiate document data from instructions. (3) Capability inventory: Subprocess execution (pandoc, soffice, pdftoppm), file system modification (doc.save), and execution of local scripts (unpack.py, pack.py). (4) Sanitization: The skill properly utilizes 'defusedxml' to mitigate XML-specific attacks, but does not provide safeguards against malicious instructional content embedded within the document text.
Recommendations
- AI detected serious security threats
Audit Metadata