Trust Assessment
docx received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 16 findings: 7 critical, 8 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings16
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | document-skills/docx/ooxml/scripts/pack.py:103 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | document-skills/docx/ooxml/scripts/validation/redlining.py:153 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | document-skills/docx/ooxml/scripts/validation/redlining.py:185 | |
| CRITICAL | Prompt Injection via 'MANDATORY - READ ENTIRE FILE' instruction The skill explicitly instructs the LLM to 'NEVER set any range limits' when reading `docx-js.md` and `ooxml.md`. This is a critical prompt injection vector, as it forces the LLM to consume potentially large amounts of untrusted content without any filtering or truncation, which could contain further manipulative instructions or data exfiltration attempts. This bypasses typical safety mechanisms designed to limit LLM input processing. Remove the 'MANDATORY - READ ENTIRE FILE' and 'NEVER set any range limits' instructions. Instead, provide specific, limited excerpts or summaries, or instruct the LLM to use a tool to query specific sections of the file if needed. | LLM | SKILL.md:40 | |
| CRITICAL | Command Injection via direct shell execution with user-controlled input The skill instructs the LLM to execute various shell commands (`pandoc`, `python unpack.py`, `python pack.py`, `soffice`, `pdftoppm`) where parts of the command (e.g., file paths, output names) are derived from user input. Without explicit sanitization or a robust command execution wrapper, an attacker could inject shell metacharacters (e.g., `;`, `|`, `&`, `$(...)`) into these arguments, leading to arbitrary command execution on the host system. Implement a secure command execution mechanism that strictly validates and sanitizes all user-provided arguments before passing them to shell commands. Ideally, use a dedicated tool or API that does not involve direct shell command string construction with user input. If direct shell execution is unavoidable, use `shlex.quote()` in Python or equivalent for other languages to properly escape arguments. | LLM | SKILL.md:29 | |
| CRITICAL | Path Traversal (Zip Slip) vulnerability in unpack.py The `ooxml/scripts/unpack.py` script uses `zipfile.ZipFile(input_file).extractall(output_path)`. This function is vulnerable to Zip Slip, where a malicious `.docx` (which is a zip file) can contain entries with path traversal sequences (e.g., `../../etc/passwd`). When extracted, these entries would write files outside the intended `output_path`, potentially overwriting critical system files or placing malicious executables. Before extracting, inspect each member's name in the zip file to ensure it does not contain path traversal sequences (e.g., `..`). Only extract members whose resolved path is strictly within the intended `output_path`. A common pattern is to join `output_path` with the member name and then verify that the resulting path starts with `output_path`. | LLM | ooxml/scripts/unpack.py:16 | |
| CRITICAL | Command Injection in pack.py via `soffice` call The `pack_document` function in `ooxml/scripts/pack.py` constructs a `subprocess.run` command that includes `str(doc_path)` (the user-controlled output file name) directly. An attacker could craft a malicious `output_file` name containing shell metacharacters (e.g., `'; rm -rf /'`) to execute arbitrary commands when `soffice` is invoked. Ensure that `doc_path` is properly sanitized or quoted before being passed to `subprocess.run`. For Python, passing arguments as a list (as is done here) is generally safer than a single string, but `str(doc_path)` itself could contain metacharacters if the filename is crafted. The `shlex.quote()` function should be applied to `str(doc_path)` if it's user-controlled, or better, ensure the filename is validated to contain only safe characters. | LLM | ooxml/scripts/pack.py:40 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | document-skills/docx/ooxml/scripts/pack.py:144 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | document-skills/docx/scripts/document.py:128 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | document-skills/docx/scripts/utilities.py:314 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | document-skills/docx/scripts/utilities.py:337 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'validate_document'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | document-skills/docx/ooxml/scripts/pack.py:103 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | document-skills/docx/ooxml/scripts/validation/redlining.py:153 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | document-skills/docx/ooxml/scripts/validation/redlining.py:185 | |
| HIGH | XML External Entity (XXE) vulnerability in RedliningValidator The `RedliningValidator` in `ooxml/scripts/validation/redlining.py` uses `xml.etree.ElementTree` to parse XML files (`modified_file`, `original_file`) which originate from user-provided `.docx` files. `xml.etree.ElementTree` is known to be vulnerable to XML External Entity (XXE) attacks by default. A malicious `.docx` file could contain XML with external entity declarations, leading to arbitrary file disclosure (data exfiltration), Server-Side Request Forgery (SSRF), or denial of service. Replace `xml.etree.ElementTree` with `defusedxml.ElementTree` or configure `xml.etree.ElementTree` to disable DTD processing and external entity resolution. For example, use `ET.XMLParser(resolve_entities=False)` or `defusedxml.ElementTree.parse()`. | LLM | ooxml/scripts/validation/redlining.py:78 | |
| MEDIUM | Unpinned npm dependency in installation instructions The skill's dependency section instructs `npm install -g docx` without specifying a version. This makes the skill vulnerable to supply chain attacks, where a malicious actor could publish a compromised version of the `docx` package to the npm registry. If the LLM were to execute this instruction, it would install the latest (potentially malicious) version. Always pin dependencies to a specific version (e.g., `npm install -g docx@1.2.3`). This ensures that the same, tested version is always installed, mitigating the risk of malicious updates or breaking changes. | LLM | SKILL.md:194 |
Scan History
Embed Code
[](https://skillshield.io/report/0a1abc0b3f695aad)
Powered by SkillShield