officecli-docx
Fail
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to download an installation script from the vendor's GitHub repository at
https://raw.githubusercontent.com/iOfficeAI/OfficeCLI/main/install.sh(SKILL.md). - [REMOTE_CODE_EXECUTION]: The installation process for the required tool involves piping remote shell and PowerShell scripts directly to execution engines (
curl | bashandirm | iex). These scripts originate from the vendor's own repository (SKILL.md). - [COMMAND_EXECUTION]: The skill relies on the execution of the
officeclitool on the host system to create, read, and modify .docx files. It includes the ability to inject arbitrary XML into documents via theraw-setcommand (SKILL.md, creating.md, editing.md). - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it extracts and processes text from untrusted Word documents.
- Ingestion points: Document content is ingested through extraction commands such as
officecli view doc.docx textandofficecli view doc.docx annotated(SKILL.md, editing.md). - Boundary markers: There are no explicit boundary markers or instructions provided to the agent to distinguish between its instructions and the content extracted from the documents.
- Capability inventory: The agent has the capability to modify the file system and execute CLI commands using the
officecliutility (SKILL.md). - Sanitization: There is no evidence of sanitization or filtering of the extracted text before it is returned to the agent's context.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/iOfficeAI/OfficeCLI/main/install.sh - DO NOT USE without thorough review
Audit Metadata