The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/office/soffice.py performs runtime compilation and process injection. It defines a C source string, writes it to a temporary file, and invokes the gcc compiler to create a shared object (.so). It then executes the soffice (LibreOffice) binary with the LD_PRELOAD environment variable set to the path of the compiled shim. While the shim is intended to allow LibreOffice to run in environments with restricted unix sockets, the capability to generate, compile, and inject code into processes at runtime is a high-risk pattern.
[PROMPT_INJECTION]: The skill possesses a significant vulnerability surface for indirect prompt injection due to its complex document processing pipeline and powerful tool access.
Ingestion points: Multiple scripts, including scripts/office/unpack.py, scripts/thumbnail.py, and scripts/office/validate.py, read and extract content (XML and media) from user-provided .pptx and .docx files.
Boundary markers: There are no boundary markers or instructions to the agent to ignore embedded instructions when parsing the extracted document content.
Capability inventory: The skill has access to several high-privilege capabilities, including arbitrary command execution via subprocess (gcc, soffice, pdftoppm, git), and extensive file system write access for repacking documents.
Sanitization: While the skill uses defusedxml to protect against XML-based attacks like XXE, it lacks sanitization or validation of the logical content extracted from documents before it is interpolated into the agent's context.

oci-pptx