Skills
NYC
skills/qodex-ai/ai-agent-skills/word-document-processor/Gen Agent Trust Hub

word-document-processor

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): The SKILL.md file contains explicit instructions for the agent to use sudo apt-get install for various system dependencies. Executing commands with root privileges is a severe security risk that allows for arbitrary system modification.
  • [PROMPT_INJECTION] (MEDIUM): The instruction file includes mandatory commands for the agent to read docx-js.md and ooxml.md "completely from start to finish" and explicitly forbids setting range limits. This behavior is typical of attempts to flood the agent's context or ensure the processing of hidden instructions in large, opaque files not included in the skill distribution.
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill relies on downloading and installing several external packages (pandoc, libreoffice, poppler-utils, and the docx npm package) from public registries at runtime, which introduces a dependency on external third-party code and potential supply-chain risks.
  • [PROMPT_INJECTION] (LOW): The skill possesses a significant surface for Indirect Prompt Injection (Category 8) as it processes user-provided .docx files through text extraction and XML unpacking without boundary markers or sanitization of the extracted content.
  • Ingestion points: Untrusted data enters the agent context through pandoc (in SKILL.md) and unpack.py which extracts XML from user documents.
  • Boundary markers: Absent; there are no instructions to use delimiters or ignore instructions embedded within the processed document text.
  • Capability inventory: The skill allows the agent to generate and run scripts, execute system binaries like soffice (in pack.py), and perform file system operations.
  • Sanitization: The skill uses defusedxml in pack.py and unpack.py to prevent XML-based attacks (XXE), but it provides no logical sanitization or filtering for the natural language content extracted from documents.
  • [COMMAND_EXECUTION] (MEDIUM): The ooxml/scripts/pack.py script uses subprocess.run to execute the soffice binary. While it avoids shell execution by passing a list of arguments, it still provides a mechanism for interacting with system-level software using potentially untrusted file paths.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 05:09 PM