Skills
skills/syncfusion/document-sdk-skills/syncfusion-dotnet-word/Gen Agent Trust Hub

syncfusion-dotnet-word

Pass

Audited by Gen Agent Trust Hub on Mar 26, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill generates temporary C# script files (.csx) and executes them using the dotnet script command to perform document automation tasks. This dynamic execution is the primary function of the skill's execution mode.
  • [EXTERNAL_DOWNLOADS]: Fetches various Syncfusion-maintained NuGet packages (such as Syncfusion.DocIO.Net.Core) from the official NuGet gallery and requires the installation of the dotnet-script global tool.
  • [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it ingests untrusted data formats (HTML, Markdown, Word) which are then processed by the agent. This is combined with powerful capabilities like file system writes and script execution.
  • Ingestion points: Processes user-supplied .docx, .html, .rtf, .md, and .txt files.
  • Boundary markers: None explicitly defined in the provided prompt templates.
  • Capability inventory: File system writes in ./output/, network asset fetching via HttpClient (documented in html-conversions.md), and subprocess execution via dotnet script.
  • Sanitization: No explicit sanitization or escaping of external content is documented in the reference snippets.
  • [SAFE]: The skill follows security best practices by encouraging the use of environment variables or external text files for license keys instead of hardcoding sensitive credentials.
  • [SAFE]: Operations are restricted to the local workspace and a dedicated ./output/ directory for generated files.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 26, 2026, 05:39 AM