Skills
skills/sungkhum/agent-skills/odt/Gen Agent Trust Hub

odt

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • Indirect Prompt Injection (HIGH): The skill handles complex untrusted data (ODT/XML) and has capabilities that could be abused if an attacker embeds instructions in the processed documents.\n
  • Ingestion points: scripts/unpack_odt.py and scripts/odt_document.py (via scripts/utilities.py) ingest XML content and assets from external ODT packages.\n
  • Boundary markers: Absent. The skill does not implement delimiters or specific instructions to isolate untrusted content from the agent's logic.\n
  • Capability inventory: Extensive file-writing via scripts/pack_odt.py and scripts/odt_document.py; external tool execution via scripts/validate_rng.py (subprocess.run).\n
  • Sanitization: The skill uses defusedxml to mitigate XML-specific attacks, but lacks sanitization for embedded natural language instructions.\n- Data Exposure & Exfiltration (LOW): The skill performs outbound network requests to a non-whitelisted domain.\n
  • Evidence: scripts/fetch_odf_schemas.py uses urllib.request.urlopen to connect to https://docs.oasis-open.org.\n- External Downloads (MEDIUM): Automated downloading of schema files from external sources.\n
  • Evidence: scripts/fetch_odf_schemas.py retrieves .rng and .owl files from OASIS. This bypasses local security checks as indicated by the # nosec comment in the source code.\n- Command Execution (LOW): Execution of external validation tools.\n
  • Evidence: scripts/validate_rng.py uses subprocess.run to call jing.\n- Dynamic Execution (LOW): Use of runpy for internal script orchestration.\n
  • Evidence: Multiple scripts and wrappers use runpy.run_path to execute local Python files.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 01:02 PM