docx
Warn
Audited by Gen Agent Trust Hub on Jun 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script
scripts/office/soffice.pydynamically generates and executes code. It writes a C source file to a temporary directory and invokesgccto compile it into a shared object library. This library is then loaded usingLD_PRELOADto modify system-level socket behavior, which is a high-risk capability even if used for environment compatibility. - [COMMAND_EXECUTION]: The skill frequently invokes external CLI tools using
subprocess.run. Affected files includescripts/accept_changes.py,scripts/office/soffice.py, andscripts/office/validators/redlining.py, which executesoffice(LibreOffice),gcc, andgit. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting and processing untrusted document content.
- Ingestion points:
scripts/office/unpack.pyextracts XML from arbitrary.docxfiles into the local environment. - Boundary markers: Absent; XML content is processed and merged without delimiters or instructions to ignore embedded prompts.
- Capability inventory: The skill has extensive command execution capabilities (
soffice,gcc) that could be targeted via document content poisoning. - Sanitization: Absent; there is no evidence of content filtering or sanitization before processing the XML files.
Audit Metadata