Skills
skills/pitzcarraldo/skills/hwp/Gen Agent Trust Hub

hwp

Warn

Audited by Gen Agent Trust Hub on Apr 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill downloads and installs several Python packages at runtime from the public PyPI registry. This is seen in both the SKILL.md workflow and the install_package function within scripts/hwp_reader.py. These packages are not pinned to specific versions.
  • Evidence in SKILL.md: pip install -q pyhwp2md
  • Evidence in scripts/hwp_reader.py: install_package("python-hwpx"), install_package("six"), install_package("pyhwp").
  • [REMOTE_CODE_EXECUTION]: By installing and then importing or executing packages at runtime (such as via uvx, pipx run, or pip install), the skill executes code downloaded from external sources. The scripts/hwp_reader.py script specifically uses subprocess.run to call pip and then proceeds to import hwpx or import hwp5 to process files.
  • [COMMAND_EXECUTION]: The skill uses subprocess.run to execute external command-line utilities and system commands.
  • scripts/hwp_reader.py executes hwp5txt and hwp5html to process documents.
  • scripts/hwp_reader.py uses pip install with the --break-system-packages flag to bypass environment restrictions if a standard installation fails.
  • SKILL.md instructs the agent to run a bash script that uses command -v and subshells to detect and run package managers.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from external files and injects the output into the agent's context.
  • Ingestion points: The skill reads user-provided files via [file-path] in SKILL.md and scripts/hwp_reader.py.
  • Boundary markers: None. Extracted text from HWP documents is printed directly to stdout and included in the conversation context without delimiters or instructions to ignore embedded commands.
  • Capability inventory: The agent has the ability to run shell commands (via subprocess.run and bash scripts) and perform file operations.
  • Sanitization: The HwpHtmlExtractor class in scripts/html_extractor.py and the regex cleaning in scripts/hwp_reader.py focus on structural parsing and noise removal but do not sanitize the content for malicious instructions or escape sequence characters.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 17, 2026, 04:30 AM