The Agent Skills Directory

[COMMAND_EXECUTION]: Runtime compilation and process injection. The script 'scripts/office/soffice.py' implements a mechanism to write a C source shim to a temporary file, compile it using 'gcc', and then use the 'LD_PRELOAD' environment variable to inject the resulting shared library into the 'soffice' (LibreOffice) process. This is intended to handle restrictions on Unix sockets in sandboxed environments but represents a highly privileged dynamic execution pattern.
[COMMAND_EXECUTION]: Arbitrary system binary execution. Multiple scripts ('scripts/office/soffice.py', 'scripts/recalc.py', 'scripts/office/validators/redlining.py') execute external system binaries including 'soffice', 'gcc', 'git', and 'timeout'/'gtimeout' via the 'subprocess.run' interface for core functionality like formula recalculation and document validation.
[PROMPT_INJECTION]: Indirect prompt injection vulnerability surface. The skill possesses a significant attack surface for indirect prompt injection because it is designed to ingest and process untrusted spreadsheet data ('xlsx', 'csv') while maintaining powerful capabilities like system command execution and full file system access. Evidence chain: 1. Ingestion points: 'pandas.read_excel' and 'load_workbook' are used in 'SKILL.md' and 'scripts/recalc.py' to read external files. 2. Boundary markers: No explicit instructions or delimiters are provided to the agent to ignore instructions embedded within the cell data. 3. Capability inventory: The skill has access to subprocess execution and wide-ranging file system read/write operations. 4. Sanitization: The skill properly uses 'defusedxml' for XML parsing which mitigates XXE, but does not sanitize cell content before processing.

xlsx