The Agent Skills Directory

[COMMAND_EXECUTION]: The documentation instructs the agent to use sudo apt-get install to install system dependencies like pandoc, libreoffice, and poppler-utils (SKILL.md). This involves acquiring administrative permissions, which is a high-risk operation.
[PROMPT_INJECTION]: The skill uses instruction override patterns. In SKILL.md, it commands the agent to "NEVER set any range limits when reading" documentation files, which is an attempt to bypass standard agent context management and resource constraints.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. Ingestion points: Untrusted .docx files are processed and their content (markdown or XML) is read by the agent (SKILL.md, ooxml.md). Boundary markers: No delimiters or safety instructions are used to separate document content from agent instructions. Capability inventory: The skill has broad capabilities, including executing shell commands, writing to the file system, and running dynamically generated code (docx-js.md, ooxml.md). Sanitization: The use of defusedxml provides protection against XML-level exploits, but there is no mechanism to prevent the agent from following natural language instructions found within the document data.
[COMMAND_EXECUTION]: The skill's primary function is the generation and execution of dynamic scripts (Python and JavaScript) to manipulate Office Open XML. While this is the intended functionality, it provides a powerful execution environment that can be exploited if the agent's logic is subverted via malicious document content.

docx