docx
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes system commands via
subprocess.runto manage document processing utilities likepandocandpdftoppm. - [COMMAND_EXECUTION]: In
scripts/office/soffice.py, the skill generates C source code at runtime, compiles it usinggcc, and usesLD_PRELOADto inject the resulting library into the LibreOffice process. This mechanism is used to bypass socket restrictions in sandboxed environments. - [PROMPT_INJECTION]: The skill processes content from user-supplied documents, creating an attack surface for indirect prompt injection.
- Ingestion points: Files are read into the agent's context using
scripts/office/unpack.pyandscripts/office/soffice.py. - Boundary markers: Absent. The skill does not use specific delimiters or instructions to isolate document content from system prompts.
- Capability inventory: Across various scripts, the skill can execute arbitrary system commands, perform runtime compilation, and read/write filesystem content.
- Sanitization: The skill utilizes
defusedxmlfor XML parsing which helps mitigate XXE vulnerabilities, although it does not filter natural language instructions within documents.
Audit Metadata