docx
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFE
Full Analysis
- [Data Exposure & Exfiltration] (SAFE): The skill performs file system operations (reading, writing, and deleting) primarily within temporary directories and user-specified output paths. No unauthorized data exfiltration or credential leakage was detected.
- [Command Execution] (SAFE): In 'ooxml/scripts/pack.py', the skill executes 'soffice' (LibreOffice) to validate document integrity. The execution uses 'subprocess.run' with a list of arguments rather than a shell string, effectively preventing command injection via malicious file paths.
- [Unverifiable Dependencies] (LOW): The skill relies on 'soffice' (LibreOffice) being installed on the host system. It also uses standard libraries like 'lxml' and 'defusedxml'.
- [Indirect Prompt Injection] (LOW): The skill processes untrusted Office documents, which creates a surface for indirect prompt injection if the agent subsequently interprets the content of these documents.
- Ingestion points: 'ooxml/scripts/unpack.py' and 'ooxml/scripts/validate.py' ingest Office files and their XML contents.
- Boundary markers: Absent; the skill does not wrap extracted text in delimiters or provide warnings to the LLM regarding embedded instructions.
- Capability inventory: The skill can execute 'soffice' and perform recursive file system writes/deletes.
- Sanitization: The skill uses 'defusedxml' for most XML parsing tasks, which is an excellent mitigation against XXE. However, 'lxml' is used in 'ooxml/scripts/validation/docx.py' with default settings (resolving entities), which is a minor security weakness.
- [Persistence Mechanisms] (SAFE): No attempts to modify shell profiles, cron jobs, or startup services were found.
- [Dynamic Execution] (SAFE): The skill does not use 'eval()', 'exec()', or dynamic library loading techniques.
Audit Metadata