doc
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection because it ingests and processes untrusted .docx files. An attacker could embed malicious instructions within a document to override the agent's behavior. Ingestion points:
scripts/render_docx.pyandpython-docxread content from the OOXML ZIP archive. Boundary markers: The skill does not use any delimiters or specific instructions to isolate document content from the agent's core logic. Capability inventory: The skill has the ability to execute system commands (soffice,pdftoppm) and modify the file system. Sanitization: No sanitization is performed on the input documents. - [COMMAND_EXECUTION] (MEDIUM): The
scripts/render_docx.pyscript usessubprocess.runto callsofficeandpdftoppm. While it uses list-based arguments, processing complex, attacker-controlled document formats in a headless office suite environment presents a significant attack surface for potential exploits. - [COMMAND_EXECUTION] (MEDIUM): The Python rendering script utilizes
xml.etree.ElementTreeto parseword/document.xml. This library is not secure against maliciously crafted XML data, such as Billion Laughs attacks, which can be used to cause a denial-of-service. - [EXTERNAL_DOWNLOADS] (LOW): The skill documentation instructs the user to install external dependencies including
python-docx,pdf2image,libreoffice, andpoppler-utils. These are well-known tools but introduce a reliance on external software and package registries.
Recommendations
- AI detected serious security threats
Audit Metadata