Is skills/docx safe?

https://github.com/anthropics/skills/tree/main/skills/docx

91
SAFE

The skills/docx skill is a well-implemented, security-conscious DOCX manipulation toolkit sourced directly from Anthropic's official skills monorepo. SKILL.md contains no prompt injection, persona-switching, hidden instructions, or data exfiltration logic; the Python scripts use defusedxml throughout and are scoped exclusively to Word document operations. Credential file accesses observed during monitoring are attributable to the audit harness's pre- and post-install canary verification scans rather than to any skill code, and all honeypot files remain intact with no network exfiltration detected.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 87/100 · 5%

Findings (6)

LOW Credential files read during monitoring window -12

The inotify and auditd logs record read access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at two points in time. Timing analysis places the first access (1771775933) before the git clone began, and the second (1771775945) after the audit harness completed its source-file ingestion pass. Neither access is attributable to skill-provided code, and canary integrity is confirmed intact. The accesses are consistent with the audit harness performing pre- and post-install canary verification scans.

LOW Global npm package installation required -8

SKILL.md instructs the agent to run 'npm install -g docx' to enable new document creation. Installing packages globally expands the agent's privilege surface. The 'docx' package is a legitimate, widely-used Node.js library, but global installation could affect other Node.js tooling on the system.

LOW LibreOffice invoked via subprocess with user-controlled paths -7

accept_changes.py calls soffice via subprocess.run with paths derived from user-supplied arguments. While timeout=30 is set and check=False is used defensively, the invocation of a full office suite on potentially untrusted document paths creates an attack surface for LibreOffice-specific vulnerabilities.

INFO ZIP extraction without explicit path traversal check -5

unpack.py uses zipfile.ZipFile.extractall() without validating member paths for directory traversal sequences. A crafted DOCX file with paths like '../../' could write files outside the intended output directory. This is a defense-in-depth gap rather than a current exploit in the skill.

INFO Shell command execution instructions in SKILL.md -4

SKILL.md contains numerous bash command examples the agent is expected to execute (python scripts/office/unpack.py, python scripts/office/validate.py, etc.). These are entirely scoped to DOCX operations and represent intended agent behaviors, but any skill that instructs an agent to run shell commands deserves scrutiny.

INFO defusedxml used throughout — positive security signal 0

All XML parsing in the skill uses defusedxml rather than stdlib xml.etree or lxml, preventing XXE (XML External Entity) injection attacks when processing potentially untrusted DOCX content. This is a deliberate security choice.