The Agent Skills Directory

Unverifiable Dependencies & Remote Code Execution (HIGH): The skill is vulnerable to Zip Slip (directory traversal) through the use of zipfile.extractall() on untrusted input files without path validation.
Evidence: In ooxml/scripts/unpack.py, the line zipfile.ZipFile(input_file).extractall(output_path) extracts content from a user-supplied Office document. A malicious document containing paths like ../../.ssh/authorized_keys could overwrite sensitive user files.
Data Exposure & Exfiltration (MEDIUM): The skill uses lxml.etree.parse on untrusted XML files without disabling external entity resolution, which can lead to XML External Entity (XXE) attacks.
Evidence: In ooxml/scripts/validation/docx.py, the method lxml.etree.parse(str(xml_file)) is used to process document components. This can be exploited to read local files if the attacker provides a crafted XML file within the OOXML container.
Indirect Prompt Injection (HIGH): The skill ingests untrusted Office documents which are then used to drive sensitive file-system writes and external tool execution.
Ingestion points: ooxml/scripts/unpack.py (via input_file argument) and ooxml/scripts/validate.py.
Boundary markers: None present; the skill assumes the internal structure of the Office document is safe for processing.
Capability inventory: zipfile.extractall (file write), subprocess.run (execution of soffice), prs.save (pptx write).
Sanitization: While defusedxml is used for some operations, the skill lacks path sanitization for zip extraction and entity protection in lxml usage.
Dynamic Execution (MEDIUM): ooxml/scripts/pack.py invokes the soffice binary on untrusted documents via subprocess.run for validation purposes.
Evidence: The validate_document function runs soffice --headless --convert-to html on the generated file, exposing the system to vulnerabilities in the LibreOffice conversion engine.

pptx