Skills
skills/omerakben/omer-akben/docx/Gen Agent Trust Hub

docx

Warn

Audited by Gen Agent Trust Hub on Feb 28, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: Runtime compilation and process injection logic in 'scripts/office/soffice.py'.
  • Compiles an embedded C source ('lo_socket_shim.c') using 'gcc' into a shared library at runtime.
  • Uses the 'LD_PRELOAD' environment variable to inject the compiled library into the 'soffice' subprocess to shim AF_UNIX socket calls.
  • Executes system binaries including 'gcc', 'soffice', 'git', 'pandoc', and 'pdftoppm' across multiple scripts ('soffice.py', 'accept_changes.py', 'redlining.py').
  • [EXTERNAL_DOWNLOADS]: 'SKILL.md' directs the installation of the 'docx' package from the global NPM registry. This reference to a well-known official registry is documented neutrally.
  • [PROMPT_INJECTION]: Indirect prompt injection attack surface identified due to processing untrusted external files.
    1. Ingestion points: The skill reads and extracts content from potentially untrusted '.docx', '.pptx', and '.xlsx' files via 'scripts/office/unpack.py' and 'pandoc'.
    1. Boundary markers: Absent; there are no explicit delimiters or instructions to the agent to ignore embedded instructions within the ingested document content.
    1. Capability inventory: Extensive system capabilities including arbitrary file system access ('Path.rglob', 'shutil.copy2'), command execution ('subprocess.run'), and runtime compilation of C code.
    1. Sanitization: Uses 'defusedxml' for XML parsing to mitigate XML External Entity (XXE) risks, but does not provide sanitization for text content against malicious instructions interpolated into the agent context.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 28, 2026, 09:35 PM