The Agent Skills Directory

COMMAND_EXECUTION (LOW): The script ooxml/scripts/unpack.py uses zipfile.extractall() to process Office documents. This is a known security risk (ZipSlip) where a malicious archive can overwrite arbitrary files outside the target directory using path traversal sequences in filenames.
DATA_EXFILTRATION (LOW): While the skill lists defusedxml as a dependency, ooxml/scripts/validation/docx.py uses the standard lxml.etree.parse() method. Without explicit security configuration, this parser may be vulnerable to XML External Entity (XXE) attacks, potentially allowing a malicious document to read local files.
PROMPT_INJECTION (LOW): The skill contains instructions like 'MANDATORY
READ ENTIRE FILE' and 'NEVER set any range limits'. These are strong directives aimed at ensuring the AI captures all context, but they resemble patterns used to bypass agent constraints or safety filters.
COMMAND_EXECUTION (LOW): The skill invokes external system utilities (soffice, pandoc, pdftoppm) through subprocess calls. Processing complex, attacker-controlled file formats with these tools increases the risk of exploiting vulnerabilities in the underlying binary parsers.
INDIRECT PROMPT INJECTION (LOW): The skill ingests untrusted data from .docx files which are then processed and read by the agent.
Ingestion points: ooxml/scripts/unpack.py (extracting archive contents).
Boundary markers: Absent; the agent is instructed to read the raw XML and converted markdown directly.
Capability inventory: subprocess.run for document conversion, zipfile for extraction, and the ability to generate/run Python scripts.
Sanitization: Partial; defusedxml is used for some operations, but lxml is used in validation steps without visible security flags.

docx