The Agent Skills Directory

[COMMAND_EXECUTION]: The ooxml/scripts/unpack.py script uses zipfile.extractall() without validating that the archive members' paths are restricted to the target directory. This presents a ZipSlip vulnerability where a maliciously crafted docx file could overwrite sensitive system files if processed by the agent.
[COMMAND_EXECUTION]: The skill executes external binaries soffice (LibreOffice) and git using subprocess.run for document validation and comparison tasks. While implemented with argument lists to prevent basic shell injection, these represent high-privilege operations performed on user-controlled file content.
[PROMPT_INJECTION]: The skill includes explicit instructions in SKILL.md, such as 'MANDATORY
READ ENTIRE FILE' and 'NEVER set any range limits', which attempt to override the AI agent's standard tool-use constraints for reading large documentation files.
[PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it ingests and processes untrusted content from docx files. Instructions embedded in documents could influence the agent's behavior during analysis.
Ingestion points: SKILL.md (via pandoc), scripts/document.py (via XML parsing).
Boundary markers: Absent. The skill does not provide instructions or delimiters to isolate document text from the agent's instruction context.
Capability inventory: File system write access, arbitrary command execution through provided scripts, and subprocess calls to soffice and git.
Sanitization: While the skill uses defusedxml in several core components, validation modules (e.g., ooxml/scripts/validation/base.py) rely on lxml.etree.parse() in a default configuration that may be vulnerable to XML External Entity (XXE) attacks.
[EXTERNAL_DOWNLOADS]: The skill documentation in SKILL.md directs the installation of external dependencies including pandoc, libreoffice, poppler-utils, and the docx Node.js library from public registries and repositories.

docx