docx
Fail
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [DYNAMIC_EXECUTION]: The skill performs runtime compilation and process injection in
scripts/office/soffice.py. - It contains hardcoded C source code for a socket shim.
- At runtime, it writes this source to a temporary file and executes
gccto compile a shared object (.so). - It uses the
LD_PRELOADenvironment variable to inject this compiled library into the LibreOffice (soffice) process to bypass socket restrictions. - [COMMAND_EXECUTION]: The skill makes extensive use of the
subprocessmodule to execute system commands. - It invokes
sofficefor document conversion and change acceptance inscripts/accept_changes.pyandscripts/office/soffice.py. - It executes
gccfor the runtime compilation mentioned above. SKILL.mdinstructs the agent to runpandocandpdftoppmvia the command line.- [EXTERNAL_DOWNLOADS]: The documentation in
SKILL.mdexplicitly instructs the user to install an external package globally usingnpm install -g docx. - [INDIRECT_PROMPT_INJECTION]: The skill has a significant attack surface for indirect prompt injection (Category 8).
- Ingestion points: The skill reads untrusted content from
.docxfiles usingpandocor by unpacking raw XML. - Boundary markers: There are no explicit instructions or delimiters provided to the agent to distinguish between its own instructions and the content extracted from processed documents.
- Capability inventory: The skill possesses powerful capabilities including arbitrary file writing (
scripts/office/unpack.py), network-related process shimming (scripts/office/soffice.py), and complex subprocess execution. - Sanitization: While it uses
defusedxmlfor some XML operations, the overall workflow involves the agent reading and potentially acting upon the natural language content of external documents.
Recommendations
- AI detected serious security threats
Audit Metadata