docx
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- COMMAND_EXECUTION (SAFE): The
ooxml/scripts/pack.pyscript executes thesoffice(LibreOffice) binary for document validation. - The implementation uses
subprocess.runwith an argument list, which prevents command injection by avoiding shell interpretation. - A 10-second timeout is applied to mitigate potential denial-of-service through resource-intensive document processing.
- SAFE (INFO): The skill handles untrusted document content, presenting a potential surface for XML-based attacks like XML External Entity (XXE) injection.
- The codebase utilizes the
defusedxmllibrary in its primary extraction and packing scripts (ooxml/scripts/unpack.pyandooxml/scripts/pack.py) to neutralize malicious XML payloads. - Although
lxml.etree.parseis used for specific structural validation inooxml/scripts/validation/docx.py, the security risk is effectively mitigated by the fact that the files are pre-processed and rewritten bydefusedxmlbefore validation occurs.
Audit Metadata