docx
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- COMMAND_EXECUTION (HIGH): A Path Traversal (Zip Slip) vulnerability exists in ooxml/scripts/unpack.py due to the use of zipfile.ZipFile.extractall(). An attacker can provide a specially crafted Office document containing filenames with directory traversal patterns (e.g., ../../) to overwrite critical system files or scripts, potentially leading to remote code execution.
- COMMAND_EXECUTION (MEDIUM): The skill executes external system commands using subprocess.run in ooxml/scripts/pack.py to invoke soffice (LibreOffice/OpenOffice). While the command is structured, it exposes the system to the attack surface of a complex document parser on potentially malicious input.
- DATA_EXFILTRATION (MEDIUM): Potential XML External Entity (XXE) vulnerability in ooxml/scripts/validation/docx.py. The code uses lxml.etree.parse() on XML files that were extracted from an untrusted zip archive without disabling entity resolution. This could allow an attacker to read local files or perform server-side request forgery (SSRF).
- INDIRECT_PROMPT_INJECTION (LOW): The skill is highly susceptible to indirect prompt injection as it processes complex, attacker-controlled Office documents.
- Ingestion points: ooxml/scripts/unpack.py (reads zip file members) and ooxml/scripts/validation/docx.py (parses extracted XML).
- Boundary markers: None. There are no instructions to the agent to ignore content within the documents.
- Capability inventory: File system write access via the Zip Slip vulnerability and command execution via soffice.
- Sanitization: The skill uses defusedxml in some areas, but fails to sanitize zip entry paths and uses standard lxml for validation logic.
Recommendations
- AI detected serious security threats
Audit Metadata