The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill performs runtime C compilation and process injection via LD_PRELOAD.
Evidence: scripts/office/soffice.py contains an embedded C source string (_SHIM_SOURCE) designed to hook system-level operations like socket, listen, and accept.
Process: The skill writes this source to disk, compiles it at runtime using gcc -shared -fPIC, and then injects the resulting shared object into the soffice process environment via the LD_PRELOAD variable. This technique is extremely invasive and is a common vector for process hijacking or environment manipulation.
[COMMAND_EXECUTION] (HIGH): The skill modifies persistent application configurations to enable automated macro execution.
Evidence: recalc.py and scripts/recalc.py include a setup_libreoffice_macro function that identifies the host's LibreOffice user profile directory and writes a custom StarBasic macro to Module1.xba.
Risk: Modifying persistent application configurations to enable automated code execution (macros) establishes a persistence mechanism. This environment change remains across sessions and could be exploited if malicious content triggers the macro.
[PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) due to its data processing model.
Ingestion points: unpack.py, recalc.py, and validate.py accept and process untrusted Office document files (.docx, .pptx, .xlsx) from external sources.
Boundary markers: There are no explicit boundary markers or instructions used to separate untrusted document content from agent instructions during processing.
Capability inventory: The skill possesses high-privilege capabilities including subprocess execution (gcc, soffice, git) and the ability to modify filesystem configurations.
Sanitization: While it uses defusedxml to mitigate XML-based attacks (XXE), it lacks sanitization for the logical content of the documents which might influence subsequent agent actions or be used in the recalculation logic.

xlsx