Trust Assessment
docx received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 16 findings: 5 critical, 8 high, 1 medium, and 2 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Network egress to untrusted endpoints.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings16
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/scientific/document-skills/docx/ooxml/scripts/pack.py:103 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/scientific/document-skills/docx/ooxml/scripts/validation/redlining.py:153 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/scientific/document-skills/docx/ooxml/scripts/validation/redlining.py:185 | |
| CRITICAL | Prompt Injection Attempt: Override LLM File Reading Behavior The skill attempts to manipulate the host LLM's file reading behavior by explicitly instructing it to 'NEVER set any range limits' when reading a file. This is a direct attempt to bypass potential content filtering or context window management mechanisms of the LLM, which could be exploited to exfiltrate large amounts of data or inject further instructions. Remove directives that attempt to control the LLM's internal mechanisms, such as 'NEVER set any range limits'. LLM behavior should be guided by its core instructions, not by untrusted skill content. | LLM | SKILL.md:59 | |
| CRITICAL | Prompt Injection Attempt: Override LLM File Reading Behavior The skill attempts to manipulate the host LLM's file reading behavior by explicitly instructing it to 'NEVER set any range limits' when reading a file. This is a direct attempt to bypass potential content filtering or context window management mechanisms of the LLM, which could be exploited to exfiltrate large amounts of data or inject further instructions. Remove directives that attempt to control the LLM's internal mechanisms, such as 'NEVER set any range limits'. LLM behavior should be guided by its core instructions, not by untrusted skill content. | LLM | SKILL.md:74 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'validate_document'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/scientific/document-skills/docx/ooxml/scripts/pack.py:103 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/scientific/document-skills/docx/ooxml/scripts/validation/redlining.py:153 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/scientific/document-skills/docx/ooxml/scripts/validation/redlining.py:185 | |
| HIGH | Command Injection via `subprocess.run` with untrusted input The `pack.py` script executes `soffice` via `subprocess.run`, passing `doc_path` (derived from `sys.argv[2]`, an untrusted command-line argument) directly as part of the command. An attacker could inject shell metacharacters into the `output_file` argument (e.g., `malicious.docx; rm -rf /`) to execute arbitrary commands on the host system. Sanitize or validate `doc_path` to ensure it does not contain shell metacharacters before passing it to `subprocess.run`. Alternatively, use `shlex.quote()` on the argument if it must be passed as a string, or ensure `shell=False` and pass arguments as a list, which is already done here, but `str(doc_path)` could still be problematic if `doc_path` itself contains shell metacharacters that are interpreted by `soffice` or the underlying system call. The most robust solution is to strictly validate the filename or use a temporary, securely generated filename. | Static | ooxml/scripts/pack.py:95 | |
| HIGH | Zip Slip Vulnerability in `zipfile.extractall` The `unpack.py` script uses `zipfile.ZipFile(input_file).extractall(output_path)` where `input_file` is taken directly from `sys.argv[1]`. If an attacker provides a malicious `.docx` (which is a ZIP archive) containing path traversal entries (e.g., `../../../../etc/passwd`), it could write files to arbitrary locations on the filesystem, potentially overwriting critical system files or exfiltrating data by writing to web-accessible directories. Implement robust validation and sanitization for filenames within the ZIP archive before extraction. A common mitigation is to check if each extracted file's path, when joined with the target directory, remains within that directory (e.g., `os.path.abspath(target_path).startswith(os.path.abspath(output_path))`). Alternatively, use a library that provides built-in Zip Slip protection. | Static | ooxml/scripts/unpack.py:13 | |
| HIGH | Zip Slip Vulnerability in `zipfile.extractall` The `RedliningValidator` in `redlining.py` uses `zipfile.ZipFile(self.original_docx, 'r').extractall(temp_path)` where `self.original_docx` is derived from a command-line argument. If an attacker provides a malicious `.docx` (which is a ZIP archive) containing path traversal entries (e.g., `../../../../etc/passwd`), it could write files to arbitrary locations on the filesystem, potentially overwriting critical system files or exfiltrating data by writing to web-accessible directories. Implement robust validation and sanitization for filenames within the ZIP archive before extraction. A common mitigation is to check if each extracted file's path, when joined with the target directory, remains within that directory (e.g., `os.path.abspath(target_path).startswith(os.path.abspath(temp_path))`). Alternatively, use a library that provides built-in Zip Slip protection. | Static | ooxml/scripts/validation/redlining.py:64 | |
| HIGH | Arbitrary File Read via untrusted `xml_path` The `XMLEditor` class, used by `DocxXMLEditor` and subsequently by the `Document` class, takes `xml_path` as an argument and directly reads its content using `open(self.xml_path, 'rb')`. If the `xml_path` can be manipulated by untrusted input (e.g., `../../../../etc/passwd`), an attacker could read arbitrary files from the filesystem, leading to data exfiltration. Ensure that `xml_path` is strictly validated to only point to files within the expected unpacked document directory. Prevent any path traversal sequences (e.g., `..`, symlinks) that could allow access to arbitrary files outside the intended scope. | Static | scripts/utilities.py:42 | |
| HIGH | Arbitrary File Read via untrusted `unpacked_dir` The `BaseSchemaValidator` (and its subclasses like `DOCXSchemaValidator`, `PPTXSchemaValidator`) iterates through XML files within `self.unpacked_dir` and parses them using `lxml.etree.parse(str(xml_file))`. If `self.unpacked_dir` is an untrusted path (e.g., a symlink to `/`), an attacker could cause the validator to read arbitrary XML files from the filesystem, leading to data exfiltration. Ensure that `unpacked_dir` is strictly validated to only point to a securely created temporary directory or a directory within the skill's designated workspace. Prevent any path traversal sequences (e.g., `..`, symlinks) that could allow access to arbitrary files outside the intended scope. | Static | ooxml/scripts/validation/base.py:160 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 | |
| LOW | Inconsistent XML Parser Usage The `redlining.py` script uses `xml.etree.ElementTree` for parsing XML files (`modified_file`, `original_file`) in its validation logic, while other parts of the skill (e.g., `pack.py`, `unpack.py`, `utilities.py`) correctly use `defusedxml.minidom`. `defusedxml` is specifically designed to prevent XML vulnerabilities like XXE. While the current usage in `redlining.py` might not be directly exploitable given the context (parsing its own modified/original XML), it's a deviation from best practice for handling potentially untrusted XML and introduces a slight risk if the XML source or processing changes. Consistently use `defusedxml` for all XML parsing operations throughout the skill, especially when dealing with XML that originates from or has been modified by untrusted sources. Replace `xml.etree.ElementTree` with `defusedxml.ElementTree` or `defusedxml.minidom`. | Static | ooxml/scripts/validation/redlining.py:74 |
Scan History
Embed Code
[](https://skillshield.io/report/cf00fe1402179cbd)
Powered by SkillShield