docx
Fail
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script scripts/office/soffice.py dynamically generates C source code at runtime, compiles it with the system's gcc compiler into a shared object file, and injects the resulting library into the soffice process using the LD_PRELOAD environment variable. This technique is used to shim UNIX socket operations in restricted environments.
- [COMMAND_EXECUTION]: The skill utilizes subprocess.run to execute various system binaries: gcc is used for shim compilation in scripts/office/soffice.py; soffice (LibreOffice) is invoked for document conversion in scripts/office/soffice.py and scripts/accept_changes.py; git diff is called in scripts/office/validators/redlining.py for validation.
- [EXTERNAL_DOWNLOADS]: The documentation in SKILL.md instructs users to download and install the docx package from the npm registry.
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection through document processing. Ingestion points: Word document XML content is extracted in scripts/office/unpack.py. Boundary markers: Absent; no markers are used to separate untrusted content from instructions. Capability inventory: High-risk capabilities include arbitrary command execution in scripts/office/soffice.py and file system write operations in scripts/office/pack.py. Sanitization: While defusedxml is used for XML parsing, the text content is not sanitized for AI instructions.
Recommendations
- AI detected serious security threats
Audit Metadata