docx

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly ingests arbitrary user/third-party .docx files as part of its workflows—e.g., the pandoc conversion step ("pandoc --track-changes=all path-to-file.docx") and the unpack script ("python ooxml/scripts/unpack.py <office_file> <output_directory>")—so the agent reads and interprets untrusted document content.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The prompt explicitly instructs installing system packages (e.g., "sudo apt-get install pandoc", "sudo apt-get install libreoffice", global npm installs) and other system-level dependency changes that require elevated privileges and can modify the machine state, even though it doesn't instruct creating users or bypassing security mechanisms.