docx
Warn
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: MEDIUMPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The SKILL.md file contains explicit instructions to the AI agent to override its default file-reading constraints, using phrases like 'MANDATORY
- READ ENTIRE FILE' and 'NEVER set any range limits'.
- [DATA_EXFILTRATION]: Validation modules such as ooxml/scripts/validation/base.py, docx.py, and pptx.py utilize the lxml.etree.parse() function to process XML content from user-provided documents. By default, this function is susceptible to XML External Entity (XXE) attacks, which can allow an attacker to read sensitive files from the local filesystem through a crafted document.
- [COMMAND_EXECUTION]: The skill uses subprocess.run() to execute system binaries, including soffice (LibreOffice) in ooxml/scripts/pack.py and git in ooxml/scripts/validation/redlining.py. These commands are used for document conversion and comparison but represent a capability that could be targeted by indirect injection.
- [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by ingesting and processing untrusted external files (.docx). * Ingestion points: Files are unpacked in ooxml/scripts/unpack.py and read via pandoc or minidom. * Boundary markers: The skill lacks instructions for the agent to use delimiters or ignore instructions found within document content. * Capability inventory: The skill can write to the filesystem, run system commands (git, soffice), and manipulate complex XML structures. * Sanitization: While the core Document library uses the secure defusedxml package, the validation scripts use the less secure lxml and standard xml.etree libraries.
Audit Metadata