docx
Fail
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill performs runtime compilation and process injection in
scripts/office/soffice.py. - It dynamically generates C source code and writes it to a temporary file (
lo_socket_shim.c). - It executes
gccviasubprocess.runto compile this source into a shared object library. - It then uses the
LD_PRELOADenvironment variable to inject the compiled library into thesofficeprocess to hook system calls. This is a high-risk dynamic execution pattern. - [COMMAND_EXECUTION]: Multiple scripts execute system-level commands using
subprocess.run(), which increases the risk of command injection. scripts/accept_changes.pyandscripts/office/soffice.pyinvokesofficewith complex arguments.scripts/office/soffice.pyinvokesgccfor runtime compilation.scripts/office/validators/redlining.pyexecutesgit diffon extracted document content.- [DATA_EXFILTRATION]: Several components use insecure XML parsers on content extracted from untrusted user documents.
scripts/office/validators/redlining.pyandscripts/office/helpers/simplify_redlines.pyuse the standardxml.etree.ElementTreeparser, which is vulnerable to XML External Entity (XXE) attacks.- A malicious document could exploit this to read sensitive local files from the agent's environment.
- [PROMPT_INJECTION]: The skill ingests and processes untrusted XML content from Word documents, creating a significant surface for indirect prompt injection.
- Ingestion occurs in
scripts/office/unpack.py, which extracts content from ZIP-formatted .docx files. - The skill lacks explicit boundary markers or instructions to ignore embedded directives when presenting extracted content to the AI agent.
- This could allow a malicious document to influence the agent's behavior through hidden text or metadata.
Recommendations
- AI detected serious security threats
Audit Metadata