The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses subprocess.run to call system binaries soffice (from LibreOffice) and git. In ooxml/scripts/pack.py, soffice is used to validate documents by converting them to HTML. In ooxml/scripts/validation/redlining.py, git diff is used to compare text content. These are standard tools for document validation and analysis.
[EXTERNAL_DOWNLOADS]: Documentation in SKILL.md instructs the user to install several well-known external dependencies, including pandoc, LibreOffice, poppler-utils, and the docx library via system package managers and NPM.
[PROMPT_INJECTION]: The skill has a surface for Indirect Prompt Injection (Category 8) because it ingests content from untrusted Office documents and has access to powerful tools. Evidence: 1. Ingestion points: Untrusted XML data is read from .docx files into the agent context in scripts/document.py and scripts/utilities.py. 2. Boundary markers: There are no explicit delimiters or instructions provided to the agent to ignore commands that may be embedded in the document text. 3. Capability inventory: The skill possesses capabilities including file system write access and execution of external binaries (soffice, git) via subprocess. 4. Sanitization: While the skill correctly uses defusedxml to mitigate XML External Entity (XXE) attacks, it does not sanitize the extracted text content against malicious instructions targeting the AI agent.

docx