docx
Fail
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's extraction and validation scripts contain multiple vulnerabilities that could lead to unauthorized system access. \n
- Path Traversal (Zip Slip): In
ooxml/scripts/unpack.pyandscripts/add_toc_placeholders.py, thezipfile.ZipFile.extractall()method is used on untrusted archives without validating that extracted file paths remain within the target directory. A malicious .docx file could use path traversal sequences (e.g.,../) to overwrite critical system files. \n - XML External Entity (XXE): The validator script in
ooxml/scripts/validation/base.pyuseslxml.etree.parse()on document XML files without disabling external entity resolution. This vulnerability can be exploited by a malicious document to read local files or perform Server-Side Request Forgery (SSRF) during the validation process. \n- [PROMPT_INJECTION]: The skill processes untrusted document content, which serves as a significant vector for indirect prompt injection attacks. \n - Ingestion points: Document content enters the agent's context through raw XML extraction in
unpack.pyand structural conversion viapandocas described in theSKILL.mdworkflows. \n - Boundary markers: There are no delimiters or instructions to help the agent distinguish between its own system prompt and the content of the document being processed, which may lead to the agent following instructions embedded within a document. \n
- Capability inventory: The skill grants the agent capabilities to execute shell commands (
soffice,pandoc,git) and perform filesystem operations, increasing the potential impact of a successful injection attack. \n - Sanitization: No sanitization is performed on extracted text to strip or escape natural language instructions that could override agent behavior.
Recommendations
- AI detected serious security threats
Audit Metadata