Security Audit
snyk/agent-scan:tests/skills/docx
github.com/snyk/agent-scanTrust Assessment
snyk/agent-scan:tests/skills/docx received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 14 findings: 6 critical, 8 high, 0 medium, and 0 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on March 1, 2026 (commit 30a672c5). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings14
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | tests/skills/docx/ooxml/scripts/pack.py:102 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | tests/skills/docx/ooxml/scripts/validation/redlining.py:143 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | tests/skills/docx/ooxml/scripts/validation/redlining.py:175 | |
| CRITICAL | Command Injection via Shell Commands in Skill Instructions The `SKILL.md` file instructs the LLM to execute several shell commands (`pandoc`, `python unpack.py`, `python pack.py`, `soffice`, `pdftoppm`) that directly incorporate user-controlled input (e.g., `path-to-file.docx`, `<office_file>`, `<output_directory>`, `document.pdf`, `page`). If the LLM substitutes user input into these commands without proper sanitization or escaping, a malicious user could inject arbitrary shell commands, leading to arbitrary code execution on the host system. All user-controlled inputs passed to shell commands must be properly sanitized or escaped (e.g., using `shlex.quote` in Python) before execution. The LLM should be explicitly instructed to use safe execution methods for external commands. | LLM | SKILL.md:29 | |
| CRITICAL | Command Injection in `pack.py` via `soffice` call The `pack.py` script uses `subprocess.run` to execute `soffice` with `str(doc_path)`. The `doc_path` variable is derived from `args.output_file`, which is a user-provided argument to the script. A malicious user could craft `output_file` to contain shell metacharacters, leading to arbitrary command execution when `soffice` is invoked. Ensure that all arguments passed to `subprocess.run` that originate from user input are properly escaped using `shlex.quote` or passed as a list of arguments to prevent shell injection. For example, `subprocess.run(['soffice', ..., shlex.quote(str(doc_path))])` or `subprocess.run(['soffice', ..., str(doc_path)])` if `shell=False` is used (which is the default and recommended). | LLM | ooxml/scripts/pack.py:97 | |
| CRITICAL | XML External Entity (XXE) Vulnerability in `redlining.py` The `redlining.py` script uses `xml.etree.ElementTree.parse()` to parse XML files (`modified_file`, `original_file`) that are derived from user-provided `.docx` documents. The `xml.etree.ElementTree` library is vulnerable to XML External Entity (XXE) attacks by default, which can lead to information disclosure (e.g., reading local files), server-side request forgery (SSRF), or denial of service (DoS) via XML bombs. While `defusedxml` is used in other parts of the project, it is not used here, leaving this component vulnerable. Replace `xml.etree.ElementTree` with `defusedxml.ElementTree` (or `defusedxml.lxml` if `lxml` is preferred) for parsing XML files that originate from untrusted sources. This will prevent XXE and other XML parsing vulnerabilities. | LLM | ooxml/scripts/validation/redlining.py:59 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/skills/docx/ooxml/scripts/pack.py:143 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/skills/docx/scripts/document.py:126 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/skills/docx/scripts/utilities.py:310 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/skills/docx/scripts/utilities.py:333 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'validate_document'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | tests/skills/docx/ooxml/scripts/pack.py:102 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | tests/skills/docx/ooxml/scripts/validation/redlining.py:143 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | tests/skills/docx/ooxml/scripts/validation/redlining.py:175 | |
| HIGH | Zip Slip Vulnerability in `unpack.py` The `unpack.py` script uses `zipfile.ZipFile(input_file).extractall(output_path)`. The `extractall` method is known to be vulnerable to 'zip slip' attacks. A malicious `input_file` (a crafted zip archive) could contain file entries with path traversal sequences (e.g., `../../../../etc/passwd`), allowing an attacker to write files to arbitrary locations outside the intended `output_path`, potentially leading to data corruption or system compromise. Implement a secure extraction process. Before extracting each file from the archive, validate that its resolved path remains strictly within the designated `output_path`. A common approach is to join `output_path` with the member's name and then check if the resulting path starts with `output_path`. | LLM | ooxml/scripts/unpack.py:13 |
Scan History
Embed Code
[](https://skillshield.io/report/34d8e9c2a761f7bf)
Powered by SkillShield