The Agent Skills Directory

[Persistence Mechanisms] (HIGH): The function setup_libreoffice_macro in recalc.py writes a StarBasic macro to the user's LibreOffice configuration directory (~/.config/libreoffice/ or ~/Library/Application Support/LibreOffice/). This modifies the application environment permanently to facilitate the recalculation feature, which is a persistence-like behavior that affects the host system beyond the skill's execution context.\n- [Indirect Prompt Injection] (HIGH): The skill is designed to process untrusted Excel files provided by users or external sources. Because it utilizes high-privilege capabilities (writing to config, executing subprocesses) while processing this data, it creates a significant injection surface.\n
Ingestion points: The filename argument in recalc.py is used to load workbooks via openpyxl and open files via soffice.\n
Boundary markers: Absent. There are no delimiters or instructions to ignore embedded malicious content within the Excel files.\n
Capability inventory: The skill can write to the filesystem (macro_file) and execute system commands (soffice, timeout, gtimeout).\n
Sanitization: There is no validation or sanitization of the Excel file content or the file path beyond basic existence checks.\n- [Dynamic Execution] (MEDIUM): The skill generates StarBasic code as a string at runtime, writes it to a file, and then triggers its execution via the vnd.sun.star.script URI scheme. While the generated code is currently benign, this pattern is a common vector for executing dynamically generated malicious logic.\n- [Command Execution] (MEDIUM): The script uses subprocess.run to invoke soffice and system timeout utilities. While it uses a list for arguments to prevent simple shell injection, the execution of a complex office suite on arbitrary user-provided files is a high-risk operation.

xlsx