The Agent Skills Directory

[COMMAND_EXECUTION]: The script ooxml/scripts/unpack.py and the _get_original_file_errors method in ooxml/scripts/validation/base.py both use zipfile.ZipFile.extractall() on user-provided Office files without validating member paths. This creates a ZipSlip vulnerability where a malicious .docx file containing relative path sequences (e.g., ../../) can overwrite sensitive files outside the intended directory.\n- [PROMPT_INJECTION]: The documentation in SKILL.md uses aggressive directives such as 'MANDATORY
READ ENTIRE FILE' and 'NEVER set any range limits' to bypass the agent's default safety or efficiency constraints when processing the skill's own documentation files.\n- [COMMAND_EXECUTION]: The skill invokes system binaries like soffice (LibreOffice) and git via subprocess.run in ooxml/scripts/pack.py and ooxml/scripts/validation/redlining.py. While these are well-known tools, their invocation on files processed from potentially untrusted sources increases the overall risk profile.\n- [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process text extracted from external .docx files which may contain malicious instructions meant to hijack the agent's behavior.\n
Ingestion points: Document contents are extracted by ooxml/scripts/unpack.py and read by the agent.\n
Boundary markers: No boundary markers or clear instructions are provided to the agent to treat extracted text as untrusted content.\n
Capability inventory: The skill has significant capabilities including file system write access, execution of system commands, and dynamic script generation.\n
Sanitization: While defusedxml is correctly used to prevent XXE attacks, there is no sanitization of the natural language content to prevent prompt injection.\n- [DYNAMIC_EXECUTION]: The core workflow requires the agent to generate and then run Python or JavaScript code based on document contents, which allows a malicious document to influence the logic of the executed scripts.

docx