docx
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill contains explicit instructions to the agent to override standard operational constraints, specifically directing it to 'NEVER set any range limits' when using file-reading tools. This pattern is designed to bypass built-in safety and performance guardrails. \n- [PROMPT_INJECTION]: The workflow extracts text from external documents and presents it to the agent without using delimiters or sanitization instructions. This creates a surface for indirect prompt injection, where a malicious document could manipulate the agent into performing unauthorized actions. \n- [COMMAND_EXECUTION]: Multiple scripts within the skill use the
subprocessmodule to execute system binaries such asgit,soffice(LibreOffice), andpdftoppm. The skill also provides setup instructions that involvesudofor environment configuration, which poses a risk of privilege escalation. \n- [DATA_EXFILTRATION]: Theooxml/scripts/validation/redlining.pyscript uses the standard libraryxml.etree.ElementTreefor parsing, which is documented as insecure against XML External Entity (XXE) attacks. This vulnerability could be exploited by a malicious document to access sensitive local files or probe internal networks. \n- [EXTERNAL_DOWNLOADS]: The skill depends on various external software tools likepandocand thedocxnpm package. The installation instructions inSKILL.mdlack version pinning and integrity verification, making the environment susceptible to supply chain risks or the installation of unverified software.
Audit Metadata