docx
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The script 'ooxml/scripts/pack.py' uses 'subprocess.run' to execute the 'soffice' (LibreOffice) command for document validation. This pattern executes external system binaries on user-provided file paths, which can be risky if the external tool has vulnerabilities or if the pathing is manipulated.
- DATA_EXFILTRATION (MEDIUM): The script 'ooxml/scripts/validation/docx.py' utilizes 'lxml.etree.parse' to process XML files extracted from untrusted Office documents. This parser is not configured with 'resolve_entities=False', making the skill vulnerable to XML External Entity (XXE) attacks. An attacker could craft a malicious document that, when validated, exfiltrates sensitive local files to a remote server.
- INDIRECT_PROMPT_INJECTION (LOW): The skill serves as an ingestion point for untrusted document data. Ingestion points: Office document XML files parsed by 'unpack.py' and 'docx.py'. Boundary markers: None. Capability inventory: XML parsing, file system read/write, and subprocess execution via 'soffice'. Sanitization: The skill uses 'defusedxml' in 'pack.py' and 'unpack.py' to mitigate some risks, but fails to apply these protections in the 'docx.py' validation logic, leaving a gap in the trust chain.
Audit Metadata