MSOffice
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Command Execution] (HIGH): The skill constructs shell commands by interpolating untrusted JSON data into the
--contentargument of a CLI tool. This pattern is highly vulnerable to shell injection if the agent or the script does not correctly escape the input, potentially allowing for arbitrary command execution on the host system via metacharacters like backticks or semicolons.\n- [Indirect Prompt Injection] (HIGH): The workflow relies on a 'Research' skill to fetch content, which is then processed by the agent and passed to a shell tool. This creates a vector where malicious instructions on a webpage could be ingested and then used to manipulate the agent or exploit the command execution capability.\n - Ingestion points:
Templates/Word.mdandTemplates/PowerPoint.mdexplicitly ingest data from user prompts and outputs from the/researchtool.\n - Boundary markers: No isolation techniques, delimiters, or 'ignore instructions' warnings are used to separate untrusted content from the shell command arguments.\n
- Capability inventory: The skill leverages the
Bashtool to run a Python interpreter on a local script (generate.py), which provides a direct path from untrusted data to system execution.\n - Sanitization: There is no evidence of input validation, sanitization, or escaping of the user-controlled JSON content before it is interpolated into the shell command string.
Recommendations
- AI detected serious security threats
Audit Metadata