docx-processing-anthropic
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill serves as an ingestion point for untrusted Office document data, which creates a surface for indirect prompt injection attacks where malicious instructions are hidden in processed files.
- Ingestion points:
ooxml/scripts/unpack.pyextracts contents from external zip-based Office files into a local directory. - Boundary markers: Absent. There are no markers or delimiters used to separate the extracted XML content from the agent's system instructions.
- Capability inventory: The skill possesses capabilities for zip extraction, file writing, XML parsing, and external command execution.
- Sanitization: While
defusedxmlis used in some scripts,lxml.etree.parseis used inooxml/scripts/validation/docx.pywithout security hardening (e.g., disabling entity resolution). - Dynamic Execution (LOW): The
ooxml/scripts/pack.pyscript executes thesoffice(LibreOffice) binary viasubprocess.runto perform validation. Although arguments are passed as a list to prevent shell injection, this relies on the security of an external system component. - Data Exposure & Exfiltration (LOW): In
ooxml/scripts/unpack.py, the use ofzipfile.extractall()is vulnerable to path traversal (Zip Slip). A malicious Office document could contain filenames with../sequences to overwrite files outside the intended output directory. - Unverifiable Dependencies & Remote Code Execution (SAFE): The skill utilizes well-known Python packages
lxmlanddefusedxml. No suspicious remote downloads or untrusted dependency installations were detected.
Audit Metadata