docx
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill's primary function involves processing untrusted .docx files, which exposes an 'Indirect Prompt Injection' surface (Category 8). Maliciously crafted documents could contain instructions aimed at subverting the agent's behavior.
- Ingestion points: Data enters the agent's context through
pandoctext extraction and XML unpacking inooxml/scripts/unpack.py. - Boundary markers: The skill does not currently implement specific delimiters or instructions to isolate and ignore embedded content within the extracted text.
- Capability inventory: The skill utilizes
subprocess.runfor system commands (soffice, git, pandoc) and has file system write access via the Document library. - Sanitization: It uses
defusedxmlfor secure XML parsing to prevent structural attacks, but it does not sanitize or filter the semantic text content of the documents before presentation to the agent. - [COMMAND_EXECUTION]: Several scripts including
pack.pyandredlining.pyuse the Pythonsubprocessmodule to execute system commands such assoffice(LibreOffice),git, andpdftoppm. These calls are used for legitimate document conversion and validation purposes, but they represent a sensitive capability that relies on the safe handling of document file paths.
Audit Metadata