docx
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): In
ooxml/scripts/unpack.py, the skill useszipfile.ZipFile.extractall()to unpack Office documents. This function does not inherently protect against 'Zip Slip' attacks, where a malicious archive containing filenames with../sequences can write or overwrite files outside the target directory. - [DATA_EXFILTRATION] (MEDIUM): The file
ooxml/scripts/validation/docx.pyuseslxml.etree.parse()to read XML data. By default, lxml may attempt to resolve external entities, making the skill vulnerable to XML External Entity (XXE) attacks. This could allow an attacker to read local files or perform server-side request forgery (SSRF) via a crafted .docx file. - [COMMAND_EXECUTION] (LOW): The
ooxml/scripts/pack.pyscript invokes thesoffice(LibreOffice) binary viasubprocess.runto validate documents. While arguments are passed as a list, this capability allows the agent to process untrusted files through a complex external suite, which may have its own document-processing vulnerabilities. - [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) because it processes complex, untrusted data structures from external Office files.
- Ingestion points:
ooxml/scripts/unpack.pyextracts data from untrusted .docx, .pptx, and .xlsx archives. - Boundary markers: No boundary markers or 'ignore embedded instructions' warnings are present when the agent context is populated with extracted XML content.
- Capability inventory: The skill can execute system commands (
soffice), write files to the filesystem (pack.py), and read arbitrary XML components. - Sanitization: No sanitization or rigorous schema validation is applied to the XML content before it is parsed by
lxmlordefusedxml.
Audit Metadata