docx
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill's primary workflow requires the agent to write and execute arbitrary Python and JavaScript code to manipulate OOXML structures. This dynamic execution of generated code presents a risk if the agent's logic is influenced by malicious input within documents.\n- PROMPT_INJECTION (LOW): The instructions in
SKILL.mdcontain behavioral overrides, specifically commanding the agent to 'NEVER set any range limits' when reading reference files. This is an attempt to bypass standard tool-use constraints or safety guardrails related to context management.\n- EXTERNAL_DOWNLOADS (LOW): The skill documentation lists several required external dependencies including system packages (pandoc,libreoffice,poppler-utils) and library packages (defusedxml,docxnpm). While these are standard tools, they introduce a surface for supply chain risks.\n- INDIRECT_PROMPT_INJECTION (LOW): The skill ingests untrusted data from.docxfiles. \n - Ingestion points:
current.md(extracted via pandoc). \n - Boundary markers: Absent; there are no instructions to treat extracted text as untrusted or to use delimiters. \n
- Capability inventory: Access to
python,node, and system commands (soffice,pdftoppm). \n - Sanitization: Uses
defusedxmlto mitigate XML-based attacks (XXE), but lacks content sanitization for instructions.
Audit Metadata