pptx
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
- Unsafe Archive Extraction (HIGH): The scripts
ooxml/scripts/unpack.pyandooxml/scripts/validation/docx.pyusezipfile.extractall()on input Office files without validating member paths. A maliciously crafted document containing filenames with path traversal sequences (e.g.,../../etc/passwd) could overwrite arbitrary files on the system. - Evidence in
ooxml/scripts/unpack.py:zipfile.ZipFile(input_file).extractall(output_path) - Evidence in
ooxml/scripts/validation/docx.py:zipfile.ZipFile(self.original_file, "r").extractall(temp_dir) - XML External Entity (XXE) Risk (MEDIUM): The
DOCXSchemaValidatorinooxml/scripts/validation/docx.pyuseslxml.etree.parse()without disabling entity resolution. This could allow an attacker to read local files if the processed document contains malicious XML entities. - Evidence in
ooxml/scripts/validation/docx.py:root = lxml.etree.parse(str(xml_file)).getroot() - Indirect Prompt Injection (LOW): The skill ingests untrusted third-party data (Word and PowerPoint files). While it uses
defusedxmlin some scripts, the overall surface area for processing complex document structures poses a risk if instructions are embedded in the document text or metadata. - Ingestion points:
.docx,.pptx,.xlsxfiles provided to unpack/validate scripts. - Boundary markers (absent): No explicit instructions to the agent to ignore embedded content in files.
- Capability inventory: File write, subprocess execution (
soffice). - Sanitization (absent): Archive extraction and XML parsing (in
docx.py) lack sufficient sanitization.
Recommendations
- AI detected serious security threats
Audit Metadata