The Agent Skills Directory

DATA_EXFILTRATION (HIGH): Path Traversal (Zip Slip) via archive extraction.\n
Evidence: In ooxml/scripts/unpack.py and ooxml/scripts/validation/docx.py, the code uses zipfile.ZipFile.extractall() to unpack OOXML files. This method is vulnerable to Zip Slip, where a malicious archive containing entries with ../ sequences can overwrite or create files outside the intended directory, potentially leading to data theft or system compromise.\n- DATA_EXFILTRATION (MEDIUM): Potential XML External Entity (XXE) vulnerability.\n
Evidence: In ooxml/scripts/validation/docx.py, the script uses lxml.etree.parse() on XML files extracted from untrusted documents. By default, lxml versions may be vulnerable to XXE if they resolve external entities, allowing an attacker to read local files by embedding entity references in the document XML.\n- COMMAND_EXECUTION (LOW): Execution of system commands via subprocess.\n
Evidence: In ooxml/scripts/pack.py, the skill executes the soffice command (LibreOffice) to validate documents. While it uses a list of arguments, the file paths are derived from user input, which could be exploited in specific environments if combined with path manipulation.\n- PROMPT_INJECTION (LOW): Indirect Prompt Injection Surface.\n
Evidence: The skill is designed to ingest and process untrusted document formats (.docx, .pptx, .xlsx) which can contain adversarial instructions meant to hijack the agent's logic once the content is read into the context.\n
Ingestion points: ooxml/scripts/unpack.py (line 14), ooxml/scripts/validate.py (line 33).\n
Boundary markers: None. The skill does not use delimiters or warnings to separate document content from agent instructions.\n
Capability inventory: File system write access, XML parsing, and system command execution (soffice).\n
Sanitization: Although defusedxml is used in pack.py and unpack.py, it is bypassed in docx.py in favor of raw lxml, and the archive extraction itself is unsanitized.

pptx