docx
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The instruction file SKILL.md uses directive language such as 'MANDATORY
- READ ENTIRE FILE' and 'NEVER set any range limits' to override standard agent handling of large documents and context constraints.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting external documents without using boundary markers or instructions to treat extracted content as untrusted. 1. Ingestion points: Raw XML and text from Word documents are loaded into the agent context via files like word/document.xml. 2. Boundary markers: Absent; no delimiters or ignore-embedded-instructions warnings are provided. 3. Capability inventory: File system write access and subprocess execution (soffice, git). 4. Sanitization: Uses defusedxml for secure XML parsing but lacks natural language filtering for document text.
- [COMMAND_EXECUTION]: Python scripts pack.py and redlining.py utilize subprocess.run to execute the 'soffice' and 'git' system binaries with dynamically constructed arguments.
- [COMMAND_EXECUTION]: The documentation directs the agent to run 'sudo apt-get install' for setting up dependencies, which entails high-risk command execution with administrative privileges.
Audit Metadata