docx
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The documentation in SKILL.md, docx-js.md, and ooxml.md includes strong directives such as "MANDATORY
- READ ENTIRE FILE" and "NEVER set any range limits when reading this file." These instructions are designed to override the agent's default documentation-handling behavior to ensure the entire technical context is ingested before performing document manipulations.
- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted document data, which creates a vulnerability surface for indirect prompt injection.
- Ingestion points: Untrusted content enters the agent's context through the unpacking and reading of XML files (e.g., word/document.xml) using the Document class in scripts/document.py and XMLEditor in scripts/utilities.py.
- Boundary markers: The skill does not implement explicit delimiters or "ignore embedded instructions" warnings when presenting extracted document text to the agent.
- Capability inventory: The skill uses subprocess.run to execute external tools like soffice (in ooxml/scripts/pack.py) and git (in ooxml/scripts/validation/redlining.py) for document validation and differencing.
- Sanitization: The skill mitigates XML-level attacks (like XXE) by using the defusedxml library for all XML parsing operations and performs HTML escaping on author metadata in scripts/document.py.
Audit Metadata