The Agent Skills Directory

[PROMPT_INJECTION]: The SKILL.md file uses forceful directives like "MANDATORY
READ ENTIRE FILE" and "NEVER set any range limits" to override the AI agent's default context management and file-reading strategies.
[COMMAND_EXECUTION]: The ooxml/scripts/unpack.py script is vulnerable to a "Zip Slip" attack because it uses zipfile.ZipFile.extractall() without validating archive member paths. This could allow a malicious document to perform path traversal and overwrite arbitrary files on the host system.
[COMMAND_EXECUTION]: Multiple scripts (pack.py, unpack.py, redlining.py) utilize subprocess.run to execute system binaries like soffice, git, and pandoc, granting the agent the capability to interact with the host environment through external tools.
[INDIRECT_PROMPT_INJECTION]: The skill processes untrusted user-supplied documents, creating a surface for indirect prompt injection.
Ingestion points: OOXML XML files parsed by unpack.py and the Document library.
Boundary markers: Absent; extracted text content is passed directly to the agent.
Capability inventory: Subprocess execution and file system write operations.
Sanitization: While defusedxml is used for secure XML parsing, there is no sanitization of extracted text content against embedded malicious instructions.
[REMOTE_CODE_EXECUTION]: The skill is designed as a framework for the agent to generate and execute custom Python and JavaScript code at runtime. While the documentation provides templates, this design represents a significant dynamic execution surface that requires human oversight.

docx