automating-word
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Unverifiable Dependencies (MEDIUM): The skill promotes the installation of the 'pyxa' library via pip, which is a third-party package not hosted by a designated trusted organization. Evidence: 'references/word-pyxa.md' contains 'pip install pyxa'.
- Dynamic Execution (MEDIUM): The skill utilizes the JXA 'ObjC' bridge to perform system-level tasks such as file management and clipboard manipulation. This allows the agent to bypass standard tool-based logging and interact directly with macOS APIs. Evidence: 'references/word-advanced.md' uses '$.NSFileManager' and '$.NSString' for file operations.
- Dynamic Execution (MEDIUM): The skill enables the execution of VBA macros stored within Word documents via 'word.run()'. If an agent is tasked with opening a malicious document, this could lead to the execution of embedded untrusted code. Evidence: 'references/word-advanced.md' shows 'word.run("FormatReport")'.
- Indirect Prompt Injection (LOW): The skill is susceptible to indirect prompt injection because it reads raw content from Word documents without sanitization or boundary delimiters.
- Ingestion points: Document content is accessed in 'references/word-basics.md' via 'doc.content.content()'.
- Boundary markers: Absent. No instructions are provided to delimit or ignore instructions within the document text.
- Capability inventory: The skill has 'Bash', 'Read', and 'Write' permissions, supplemented by system-level access via the 'ObjC' bridge and macro execution.
- Sanitization: Absent. Content is processed directly from the application object.
Audit Metadata