docem

CLI utility for embedding XXE (External XML Entity) and XSS (Cross-Site Scripting) payloads into document formats that use ZIP archives with internal XML files (DOCX, ODT, PPTX, XLSX). Designed for penetration testing and bug bounty hunting to test document processing systems.

Evaluated Mar 08, 2026 (0d ago) vlatest
Homepage ↗ Repo ↗ Security xxe xss pentest security-testing document-injection bugbounty docx odt pptx xlsx oxml
⚙ Agent Friendliness
34
/ 100
Can an agent use this?
🔒 Security
24
/ 100
Is it safe for agents?
⚡ Reliability
32
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
0
Documentation
65
Error Messages
30
Auth Simplicity
100
Rate Limits
5

🔒 Security

TLS Enforcement
10
Auth Strength
10
Scope Granularity
10
Dep. Hygiene
40
Secret Handling
60

Offensive security tool by design — generates XXE/XSS payloads for authorized testing. No license specified. Local-only execution. No network communication required for core functionality. Should only be used with proper authorization.

⚡ Reliability

Uptime/SLA
0
Version Stability
50
Breaking Changes
55
Error Recovery
25
AF Security Reliability

Best When

Security researchers need to quickly generate document files with embedded XXE/XSS payloads to test how applications handle uploaded documents containing malicious XML content.

Avoid When

You need to test non-XML document formats, or you lack authorized access to the target system. This is a penetration testing tool that should only be used with proper authorization.

Use Cases

  • Creating test documents with XXE payloads for security testing of document upload functionality
  • Generating XSS-injected documents to test web applications that render uploaded document content
  • Batch-generating hundreds of payload-embedded documents with different injection modes
  • Bug bounty hunting against document processing and file upload endpoints

Not For

  • Malicious use against systems without authorization
  • MCP server integration — CLI tool only
  • Document creation or editing — injection tool only
  • Testing non-XML-based document formats (PDF, images, etc.)

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
No
SDK
No
Webhooks
No

Authentication

OAuth: No Scopes: No

No authentication required. Runs as a local CLI tool.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

Open source. No license specified in repository.

Agent Metadata

Idempotent
True
Retry Guidance
Not documented

Known Gotchas

  • Security/offensive tool — should only be used with explicit authorization
  • CLI tool — requires subprocess invocation, not an API or MCP server
  • Requires pre-created template documents with magic marker strings
  • Output goes to ./tmp/ directory — no configurable output path documented
  • No license specified — unclear redistribution rights
  • Last significant update may be dated — check maintenance status

Full Evaluation Report

Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for docem.

AI-powered analysis · PDF + markdown · Delivered within 30 minutes

$99

Package Brief

Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.

Delivered within 10 minutes

$3

Score Monitoring

Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.

Continuous monitoring

$3/mo
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-08.

6961
Packages Evaluated
25669
Need Evaluation
173
Need Re-evaluation
Community Powered