技能 docx 審計歷史
📄

審計歷史

docx - 4 審計

審計版本 4

最新 安全

Jan 17, 2026, 06:51 AM

This is a legitimate document processing skill with no security concerns. All 1146 static findings are false positives: documentation code blocks (pandoc, soffice commands), OOXML schema namespace URLs, and XML attribute names misidentified as crypto/C2 patterns. The code uses safe XML parsing (defusedxml) to prevent XXE attacks.

61
已掃描檔案
25,568
分析行數
3
發現項
claude
審計者
未發現安全問題

風險因素

📁 檔案系統存取 (3)
scripts/utilities.py:37-38 scripts/document.py:36 ooxml/scripts/unpack.py:1-30
🌐 網路存取 (2)
LICENSE.txt:8-9 ooxml/schemas/microsoft/wml-2012.xsd:1-5
⚡ 包含腳本 (2)
ooxml/scripts/pack.py:1-160 ooxml/scripts/validation/base.py:1-100

審計版本 3

安全

Jan 17, 2026, 06:51 AM

This is a legitimate document processing skill with no security concerns. All 1146 static findings are false positives: documentation code blocks (pandoc, soffice commands), OOXML schema namespace URLs, and XML attribute names misidentified as crypto/C2 patterns. The code uses safe XML parsing (defusedxml) to prevent XXE attacks.

61
已掃描檔案
25,568
分析行數
3
發現項
claude
審計者
未發現安全問題

風險因素

📁 檔案系統存取 (3)
scripts/utilities.py:37-38 scripts/document.py:36 ooxml/scripts/unpack.py:1-30
🌐 網路存取 (2)
LICENSE.txt:8-9 ooxml/schemas/microsoft/wml-2012.xsd:1-5
⚡ 包含腳本 (2)
ooxml/scripts/pack.py:1-160 ooxml/scripts/validation/base.py:1-100

審計版本 2

安全

Jan 12, 2026, 04:27 PM

This is a legitimate document processing skill with no security concerns. All static findings are false positives: documentation code blocks (pandoc, soffice commands), OOXML schema namespace URLs, and XML attribute names misidentified as crypto/C2 patterns. The code uses safe XML parsing (defusedxml) to prevent XXE attacks.

59
已掃描檔案
24,761
分析行數
3
發現項
claude
審計者
未發現安全問題

風險因素

⚡ 包含腳本 (2)
ooxml/scripts/pack.py:1-160 ooxml/scripts/validation/base.py:1-100
🌐 網路存取 (2)
LICENSE.txt:8-9 ooxml/schemas/microsoft/wml-2012.xsd:1-5
📁 檔案系統存取 (3)
scripts/utilities.py:37-38 scripts/document.py:36 ooxml/scripts/unpack.py:1-30

審計版本 1

低風險

Jan 4, 2026, 05:14 PM

This is a legitimate document processing skill with controlled filesystem access and secure XML parsing. Uses defusedxml library to prevent XXE attacks. External commands (soffice, git) are called with hardcoded paths and controlled arguments. Operations are confined to user-specified files within designated workspaces.

23
已掃描檔案
5,590
分析行數
4
發現項
claude
審計者
中風險問題 (1)
ooxml/scripts/pack.py:103-116ooxml/scripts/validation/redlining.py:153-163
External command execution for validation
The skill executes external commands (soffice and git) via subprocess.run for document validation and diff comparison. While arguments are controlled, external command execution inherently carries risk. An attacker with control over document content could potentially craft input that causes unexpected behavior. Code: pack.py lines 103-116 uses subprocess.run(['soffice', '--headless', '--convert-to', ...]) for validation

風險因素

📁 檔案系統存取 (4)
scripts/document.py:634-642 scripts/utilities.py:55-74 ooxml/scripts/unpack.py:14-17 ooxml/scripts/pack.py:64-79
⚙️ 外部命令 (2)
ooxml/scripts/pack.py:103-116 ooxml/scripts/validation/redlining.py:153-163
⚡ 包含腳本 (2)
ooxml/scripts/pack.py:1-160 ooxml/scripts/unpack.py:1-29
← 返回技能