Security Audit
ailabs-393/ai-labs-claude-skills:packages/skills/document-skills/docx
github.com/ailabs-393/ai-labs-claude-skillsTrust Assessment
ailabs-393/ai-labs-claude-skills:packages/skills/document-skills/docx received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 14 findings: 3 critical, 8 high, 3 medium, and 0 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on March 14, 2026 (commit 1a12bc7a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings14
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | packages/skills/document-skills/docx/ooxml/scripts/pack.py:103 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | packages/skills/document-skills/docx/ooxml/scripts/validation/redlining.py:153 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | packages/skills/document-skills/docx/ooxml/scripts/validation/redlining.py:185 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | packages/skills/document-skills/docx/ooxml/scripts/pack.py:144 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | packages/skills/document-skills/docx/scripts/document.py:128 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | packages/skills/document-skills/docx/scripts/utilities.py:314 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | packages/skills/document-skills/docx/scripts/utilities.py:337 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'validate_document'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | packages/skills/document-skills/docx/ooxml/scripts/pack.py:103 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | packages/skills/document-skills/docx/ooxml/scripts/validation/redlining.py:153 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | packages/skills/document-skills/docx/ooxml/scripts/validation/redlining.py:185 | |
| HIGH | XML External Entity (XXE) Vulnerability in lxml Parsing The `BaseSchemaValidator` (and its subclasses `DOCXSchemaValidator`, `PPTXSchemaValidator`) uses `lxml.etree.parse` to parse XML files extracted from user-provided Office documents. By default, `lxml.etree.parse` resolves external entities, making it vulnerable to XML External Entity (XXE) attacks. A malicious `.docx` file could contain XML with external entity declarations that, when parsed, could lead to: 1) Data exfiltration (e.g., reading local files like `/etc/passwd`), 2) Server-Side Request Forgery (SSRF) by making requests to internal or external systems, or 3) Denial of Service (DoS) through recursive entity expansion or resource exhaustion. Use `defusedxml.lxml` for parsing untrusted XML files. Specifically, replace `lxml.etree.parse` with `defusedxml.lxml.parse` and ensure `resolve_entities=False` (which is the default for `defusedxml.lxml.parse`). Alternatively, configure `lxml`'s parser to explicitly disable entity resolution (e.g., `parser = lxml.etree.XMLParser(resolve_entities=False)`). | Static | ooxml/scripts/validation/base.py:195 | |
| MEDIUM | Unpinned Dependency in Skill Documentation The `SKILL.md` documentation recommends installing `defusedxml` without specifying a version. This can lead to supply chain risks if a malicious version of the package is published or if future versions introduce breaking changes or vulnerabilities. It's best practice to pin dependencies to specific versions. Specify a pinned version for `defusedxml` (e.g., `pip install defusedxml==0.7.1`) to ensure consistent and secure installations. | Static | SKILL.md:196 | |
| MEDIUM | Reliance on External Binary for Document Processing The `pack.py` script and consequently the `document.py` library use `subprocess.run` to invoke `soffice` (LibreOffice) for document validation and conversion. While `subprocess.run` is used with `shell=False` (mitigating direct shell injection from filenames), `soffice` is a complex external application. Processing untrusted user-provided documents with such a binary introduces a risk of vulnerabilities within `soffice` itself (e.g., parsing exploits, memory corruption) that could be triggered by a specially crafted document, potentially leading to arbitrary code execution or denial of service outside the Python script's direct control. Mitigate risks by ensuring `soffice` is run in a highly restricted environment (e.g., a container with minimal privileges, network access, and resource limits). Keep `soffice` updated to the latest secure version. Consider if a pure-Python alternative exists for critical operations, or if the validation can be performed in a safer, isolated manner. | Static | ooxml/scripts/pack.py:78 | |
| MEDIUM | XML Bomb (Billion Laughs) Vulnerability in ElementTree Parsing The `RedliningValidator` uses `xml.etree.ElementTree.parse` to parse XML files extracted from user-provided Office documents. While `ElementTree` is not vulnerable to XXE by default, it can still be vulnerable to XML bomb attacks (e.g., 'billion laughs' or recursive entity expansion). A specially crafted XML file could cause the parser to consume excessive memory and CPU, leading to a Denial of Service (DoS) for the agent. Replace `xml.etree.ElementTree.parse` with `defusedxml.ElementTree.parse` when parsing untrusted XML files. `defusedxml` provides protections against various XML-related attacks, including XML bombs. | Static | ooxml/scripts/validation/redlining.py:80 |
Scan History
Embed Code
[](https://skillshield.io/report/36142f8f6a85178a)
Powered by SkillShield