docx-toolkit
Pass
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious patterns, obfuscation, or security vulnerabilities were detected in the skill's instructions or scripts. The auditor tool uses the standard library (
zipfile,xml.etree) to parse document metadata without requiring external packages. - [SAFE]: The skill processes untrusted document data, which is its primary purpose. The risk of indirect prompt injection is minimized because the script only extracts metadata and truncated text, and it lacks dangerous capabilities such as network access or shell execution.
- Ingestion points:
scripts/docx_auditor.pyreads and parses OOXML content from.docxfiles. - Boundary markers: The script output summarizes data into structured counts and truncated strings, which naturally delimits content from potential instructions.
- Capability inventory: The script is limited to local file system reads and standard output. It contains no calls to
subprocess,os.system, or network libraries. - Sanitization: The script uses
xml.etree.ElementTreefor XML parsing and limits heading text extraction to 80 characters.
Audit Metadata