Trust Assessment
docx received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 13 findings: 5 critical, 5 high, 2 medium, and 1 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Network egress to untrusted endpoints.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 1/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings13
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/document-processing/docx-official/ooxml/scripts/pack.py:103 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/document-processing/docx-official/ooxml/scripts/validation/redlining.py:153 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/document-processing/docx-official/ooxml/scripts/validation/redlining.py:185 | |
| CRITICAL | Prompt Injection Attempt in Skill Instructions The skill's primary documentation (SKILL.md) contains direct instructions to the LLM, such as 'MANDATORY - READ ENTIRE FILE' and 'NEVER set any range limits when reading this file'. While these are intended as legitimate workflow steps, they originate from the untrusted content section. This demonstrates a pattern where untrusted input could attempt to manipulate the LLM's internal processing or override its instructions, which is a critical prompt injection vulnerability if such instructions were to come from a malicious user input. Rephrase instructions to the LLM to be less imperative and more descriptive of the desired outcome, or ensure that the LLM's internal mechanisms are robust against such direct commands from untrusted sources. For skills, consider using structured tool definitions for such directives rather than natural language instructions within untrusted content. | LLM | SKILL.md:32 | |
| CRITICAL | Prompt Injection Attempt in Skill Instructions (Redlining Workflow) Similar to the previous finding, the redlining workflow section in SKILL.md contains direct instructions to the LLM, such as 'MANDATORY - READ ENTIRE FILE' and 'NEVER set any range limits when reading this file'. This is a repeated pattern of untrusted content attempting to dictate the LLM's behavior, which is a critical prompt injection vulnerability if originating from malicious user input. Rephrase instructions to the LLM to be less imperative and more descriptive of the desired outcome, or ensure that the LLM's internal mechanisms are robust against such direct commands from untrusted sources. For skills, consider using structured tool definitions for such directives rather than natural language instructions within untrusted content. | LLM | SKILL.md:100 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'validate_document'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/document-processing/docx-official/ooxml/scripts/pack.py:103 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/document-processing/docx-official/ooxml/scripts/validation/redlining.py:153 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/document-processing/docx-official/ooxml/scripts/validation/redlining.py:185 | |
| HIGH | Zip Slip Vulnerability in Unpacking Script The `ooxml/scripts/unpack.py` script uses `zipfile.ZipFile(input_file).extractall(output_path)` without sanitizing the filenames within the archive. A malicious `.docx` (which is a zip archive) could contain files with paths like `../../../../etc/passwd`, leading to a 'Zip Slip' vulnerability. This allows an attacker to write arbitrary files to arbitrary locations on the filesystem outside the intended `output_path`, potentially overwriting critical system files or injecting malicious code. Implement path sanitization before extracting files from a zip archive. For each file in the archive, ensure its extracted path remains within the designated `output_path`. A common approach is to resolve the full path of each member and verify it starts with the `output_path`. | LLM | ooxml/scripts/unpack.py:14 | |
| HIGH | Zip Slip Vulnerability in Redlining Validation Script The `ooxml/scripts/validation/redlining.py` script also uses `zipfile.ZipFile(self.original_docx, 'r').extractall(temp_path)` to unpack the original document for comparison. This presents the same 'Zip Slip' vulnerability as `unpack.py`. A malicious `original_docx` could lead to arbitrary file writes outside the temporary directory, potentially compromising the system. Implement path sanitization before extracting files from a zip archive. For each file in the archive, ensure its extracted path remains within the designated `temp_path`. A common approach is to resolve the full path of each member and verify it starts with the `temp_path`. | LLM | ooxml/scripts/validation/redlining.py:69 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Unpinned Dependencies in Skill Instructions The `SKILL.md` file lists several dependencies (`pandoc`, `docx` (npm), `LibreOffice`, `Poppler`, `defusedxml`) without specifying exact versions. This lack of version pinning introduces a supply chain risk, as future installations could pull in newer, potentially vulnerable, or incompatible versions of these packages. For `npm` and `pip` packages, this is a direct risk. Specify exact versions for all dependencies, especially for `npm` and `pip` packages (e.g., `npm install -g docx@x.y.z`, `pip install defusedxml==x.y.z`). For system packages, consider using a specific version if available or documenting the tested version. | LLM | SKILL.md:194 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/c6afe4a1703e5905)
Powered by SkillShield