The Agent Skills Directory

Dynamic Execution (HIGH): The skill performs runtime C compilation and process injection to bypass environment restrictions. Evidence: In scripts/office/soffice.py, the _ensure_shim function writes a C source file (_SHIM_SOURCE) to the temporary directory, compiles it using gcc -shared -fPIC, and injects the resulting shared object into the soffice process using the LD_PRELOAD environment variable. This technique of hooking system calls (socket, listen, accept) is a high-risk behavior associated with advanced evasion mechanisms.\n- Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted external content from .pptx files, creating a significant attack surface. Ingestion points: The skill uses markitdown to extract text from presentations and unpack.py to parse XML content. Capability inventory: The skill has extensive system-level capabilities, including command execution (subprocess.run), file system modification (pack.py), and file deletion (clean.py). Boundary markers: There are no mechanisms to delimit untrusted content or warn the agent to ignore embedded instructions. Sanitization: No sanitization is performed on the extracted text before it is presented to the agent for reasoning.\n- Unverifiable Dependencies (MEDIUM): The skill requires several external packages and system binaries that must be installed on the host. Evidence: SKILL.md specifies requirements for markitdown[pptx], pptxgenjs, soffice (LibreOffice), and pdftoppm (Poppler). The runtime generation and execution of the lo_socket_shim.so binary is an unverifiable and high-risk dynamic dependency.

pptx