docx
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests untrusted content from .docx files (Phase 2-B/C) and processes it using agents with significant side-effect capabilities.
- Ingestion points: Processes external Word documents mentioned in the description and workflow.
- Boundary markers: No delimiters or isolation techniques are specified to separate document content from system instructions.
- Capability inventory: Includes shell execution for
pandoc,soffice(LibreOffice), and multiple Python scripts. Can create, edit, and write files to the system. - Sanitization: The skill relies on
validate.pyfor XML schema validation, which does not mitigate natural language prompt injection inside the document body. - Command Execution (MEDIUM): The workflow utilizes multiple shell-level invocations of Python scripts and external binaries (pandoc, LibreOffice) with environment variable manipulation (PYTHONPATH).
- External Downloads (MEDIUM): Dependencies include the
docx-jsnpm package andmarkitdownpython package, which are external and not from the defined trusted source list.
Recommendations
- AI detected serious security threats
Audit Metadata