The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill performs runtime generation, compilation, and injection of executable code to bypass environment restrictions. Evidence: scripts/office/soffice.py contains a hardcoded C source string that is written to a temporary location, compiled using gcc, and then loaded into the soffice process via LD_PRELOAD to shim socket operations. Evidence: scripts/accept_changes.py dynamically creates a LibreOffice StarBasic macro and saves it to the local profile to facilitate automated modifications.
[COMMAND_EXECUTION]: Extensive use of subprocesses to run system utilities increases the risk profile of the skill. Evidence: Scripts execute gcc, soffice, pandoc, git, and pdftoppm using subprocess.run across multiple modules.
[EXTERNAL_DOWNLOADS]: The skill documentation specifies the global installation of external libraries. Evidence: SKILL.md requires running npm install -g docx to enable document creation features.
[PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection when processing untrusted Word documents and contains conflicting metadata. Ingestion points: Modules like unpack.py and validate.py parse user-provided document files without established security boundaries or explicit markers. Capability inventory: High. The skill can write files and execute arbitrary system commands, potentially allowing a malicious document to influence agent behavior. Sanitization: Inconsistent. While defusedxml is used in some areas, other components like scripts/office/validators/redlining.py use the standard xml.etree.ElementTree, which is susceptible to XML external entity (XXE) attacks. Metadata conflict: The manifest lists billylui as the author, while LICENSE.txt claims copyright for Anthropic, PBC.

docx