Trust Assessment
docx received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 14 findings: 5 critical, 8 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings14
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/docx-official/ooxml/scripts/pack.py:103 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/docx-official/ooxml/scripts/validation/redlining.py:153 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/docx-official/ooxml/scripts/validation/redlining.py:185 | |
| CRITICAL | Command Injection via External Process Execution The skill explicitly instructs the agent to execute external commands (`pandoc`, `soffice`, `pdftoppm`, `python scripts`) and the underlying Python scripts (`pack.py`, `redlining.py`) use `subprocess.run` to execute `soffice` and `git`. If arguments to these commands are constructed using unsanitized user input, an attacker could inject arbitrary shell commands, leading to remote code execution or data exfiltration. For example, a malicious filename could be crafted to execute arbitrary commands. Implement strict input validation and sanitization for all arguments passed to external commands. Use `shlex.quote()` for shell arguments or pass arguments as a list to `subprocess.run` to avoid shell interpretation. Avoid constructing command strings directly with user input. | LLM | SKILL.md:40 | |
| CRITICAL | Directory Traversal via Zip Extraction The `unpack.py` script and `redlining.py` validator use `zipfile.ZipFile(...).extractall()` with user-controlled input files. A malicious `.docx` file (which is a zip archive) could contain paths like `../../etc/passwd` within its structure. When extracted, this could lead to overwriting or creating files outside the intended output directory, potentially compromising system integrity or leading to data exfiltration. Before extracting, inspect each member's name in the zip archive to ensure it does not contain directory traversal sequences (e.g., `..`, absolute paths). Only extract files whose paths are confirmed to be within the designated output directory. A common pattern is to use `zipfile.extract(member, path=output_dir)` after validating `member.name`. | LLM | ooxml/scripts/unpack.py:14 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/docx-official/ooxml/scripts/pack.py:144 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/docx-official/scripts/document.py:128 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/docx-official/scripts/utilities.py:314 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/docx-official/scripts/utilities.py:337 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'validate_document'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/docx-official/ooxml/scripts/pack.py:103 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/docx-official/ooxml/scripts/validation/redlining.py:153 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/docx-official/ooxml/scripts/validation/redlining.py:185 | |
| HIGH | Unpinned Dependencies in Skill Instructions The skill's `SKILL.md` file instructs the agent to install several dependencies (`pandoc`, `docx` (npm), `LibreOffice`, `Poppler`, `defusedxml`) without specifying exact versions. This 'unpinned' dependency installation introduces a supply chain risk, as future versions of these packages could introduce vulnerabilities, breaking changes, or even malicious code. An attacker could potentially compromise a package repository to serve a malicious version. Specify exact versions for all dependencies. For `apt-get`, this might involve checking specific package versions or using a containerized environment with a fixed OS image. For `npm` and `pip`, use `package-lock.json` / `yarn.lock` and `requirements.txt` with pinned versions (e.g., `defusedxml==0.7.1`). | LLM | SKILL.md:190 | |
| MEDIUM | Excessive Filesystem Permissions and Access The skill's core functionality involves extensive reading, writing, and manipulation of files and directories based on user-provided paths. Scripts like `unpack.py`, `pack.py`, `document.py`, and validation scripts operate on arbitrary file paths. While necessary for its function, this broad access to the filesystem, combined with potential command injection or directory traversal vulnerabilities, significantly increases the attack surface and the impact of a successful exploit. Implement a robust sandboxing mechanism or restrict the skill's filesystem access to only necessary directories. Ensure all file operations are performed within a tightly controlled and isolated environment. Validate and sanitize all file paths provided by the user to prevent access to unintended locations. | LLM | SKILL.md:52 |
Scan History
Embed Code
[](https://skillshield.io/report/37d3391e4b179ac7)
Powered by SkillShield