The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/office/soffice.py dynamically writes C source code to a temporary file and executes the gcc compiler to create a shared library (lo_socket_shim.so) at runtime. It then utilizes the LD_PRELOAD environment variable to inject this library into the soffice process to intercept and shim system-level socket calls. This represents a form of dynamic code generation and process injection.
[COMMAND_EXECUTION]: Several components of the skill, including scripts/accept_changes.py, scripts/office/soffice.py, and scripts/office/validate.py, execute external binaries such as soffice (LibreOffice), pandoc, and git via subprocess.run with potentially untrusted arguments.
[PROMPT_INJECTION]: The skill possesses a significant surface for indirect prompt injection due to its pipeline for processing untrusted Word (.docx) files.
Ingestion points: Untrusted data enters the agent context through scripts/office/unpack.py, which extracts raw XML from docx ZIP archives, and through the pandoc text extraction mentioned in SKILL.md.
Boundary markers: Absent. The skill does not implement delimiters or instructions to ensure the agent disregards commands found within document content.
Capability inventory: The skill has extensive capabilities, including arbitrary shell command execution, filesystem access, and the ability to compile binary code.
Sanitization: Although the skill uses defusedxml to mitigate XML-based attacks (XXE), it does not provide comprehensive sanitization or validation for the natural language content extracted from processed documents.

docx