docx
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The script
ooxml/scripts/pack.pyexecutes thesoffice(LibreOffice) binary usingsubprocess.runto validate document conversion. While it uses a list for arguments to mitigate shell injection, invoking complex third-party parsers on generated files is a known attack surface. - DATA_EXFILTRATION (MEDIUM): In
ooxml/scripts/validation/docx.py, the skill useslxml.etree.parse()to process XML components of Office documents. Unlike the packing/unpacking scripts which utilizedefusedxml, the validation module lacks explicit protections against XML External Entity (XXE) attacks. If an attacker provides a crafted document, this could lead to local file exposure. - PROMPT_INJECTION (LOW): The skill exhibits surface area for indirect prompt injection (Category 8) as it parses and processes content from external Office documents.
- Ingestion points: Untrusted XML data is read in
ooxml/scripts/unpack.pyandooxml/scripts/validation/docx.py. - Boundary markers: No specific delimiters or "ignore instructions" warnings were found when interpolating document data.
- Capability inventory: The skill possesses the ability to execute external commands (
soffice) and perform file system read/write operations. - Sanitization: While
defusedxmlis used inpack.pyandunpack.py, thelxmlparser in the validation logic lacks security hardening against malicious entities.
Audit Metadata