docx
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes several well-known external command-line tools for document processing and validation. Specifically, 'ooxml/scripts/pack.py' executes 'soffice' (LibreOffice) in headless mode to validate document integrity, and 'ooxml/scripts/validation/redlining.py' uses 'git diff' to compare document versions. Additionally, 'SKILL.md' provides instructions for using 'pandoc' for text extraction and 'pdftoppm' for image conversion. These commands operate on local file paths provided during the workflow.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests untrusted data from external .docx files.
- Ingestion points: Data enters the agent's context through 'pandoc' text extraction (as described in SKILL.md), XML parsing in 'scripts/document.py', and unpacking in 'ooxml/scripts/unpack.py'.
- Boundary markers (absent): The skill does not currently implement explicit boundary markers or delimiters around extracted document text to warn the agent about potential instructions embedded in the content.
- Capability inventory: The skill possesses capabilities to execute shell commands ('subprocess.run' in 'pack.py' and 'redlining.py') and perform file system operations ('Document.save' in 'scripts/document.py').
- Sanitization (absent): While the skill uses 'defusedxml' to mitigate XML-related attacks (like XXE), it does not sanitize the natural language content of the documents before it is processed by the agent.
Audit Metadata