docx — agentic threat model
The docx agent presents moderate-to-high risk due to its execution of local Python scripts, LibreOffice, and pandoc on untrusted document files, making it susceptible to XML External Entity (XXE) injection, zip bombs, and remote code execution if not strictly sandboxed.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.30 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.00 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The listing mentions 'Anthropic's official skill' but does not specify the exact underlying Claude model. Standard LLM threats like prompt injection leading to malicious XML generation or script execution apply.
The agent reads and writes .docx files, unpacks XML, and manages images. This introduces significant data operations risks, including processing untrusted/malicious documents that could contain XML External Entity (XXE) payloads, zip bombs, or malicious embedded macros.
The agent uses docx-js and bundled Python scripts (unpack.py, pack.py, accept_changes.py, comment.py, soffice.py) to orchestrate document manipulation. Threats include tool misuse, command injection via malformed arguments passed to Python scripts, or insecure handling of file paths.
The agent runs LibreOffice (soffice.py) and pandoc conversions alongside Python scripts. If the hosting environment is not strictly sandboxed, running these heavy external binaries on untrusted user inputs poses severe remote code execution (RCE) and local file disclosure risks.
Not certain from the listing — No details are provided regarding logging, guardrails, or evaluation metrics for document generation or script execution.
Not certain from the listing — No explicit mention of identity, authorization, access control policies, or compliance frameworks (e.g., SOC2, ISO) for file access.
Not certain from the listing — The skill is described as a standalone tool/skill for document manipulation; there is no mention of multi-agent coordination or marketplace interactions.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).