The Agent Skills Directory

COMMAND_EXECUTION (MEDIUM): The scripts ooxml/scripts/unpack.py and ooxml/scripts/validation/docx.py use zipfile.extractall() to unpack Office documents. This method is vulnerable to 'ZipSlip' (path traversal) attacks, where a maliciously crafted archive containing filenames with traversal sequences (e.g., ../../target) can overwrite arbitrary files on the agent's host system.
DATA_EXFILTRATION (MEDIUM): The file ooxml/scripts/validation/docx.py uses lxml.etree.parse() to process XML files extracted from untrusted documents. Standard lxml parsing is vulnerable to XML External Entity (XXE) attacks, which can be exploited to read sensitive local files or perform internal network probing. This is inconsistent with other parts of the skill that correctly use defusedxml.
COMMAND_EXECUTION (LOW): The script ooxml/scripts/pack.py calls the external binary soffice (LibreOffice) using subprocess.run. While the arguments are passed as a list to prevent shell injection, it introduces a dependency on an external system component with a large attack surface.
PROMPT_INJECTION (LOW): This skill ingests and processes Office documents, representing an indirect prompt injection surface. 1. Ingestion points: XML content is extracted and parsed in unpack.py and docx.py. 2. Boundary markers: None identified; extracted text and XML are processed without delimiters or 'ignore' instructions. 3. Capability inventory: The skill can write files to the system via zipfile and execute external commands via soffice. 4. Sanitization: While defusedxml is used in some modules, the skill lacks validation for ZIP member paths and does not sanitize document content against adversarial instructions.

pptx