The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The script scripts/office/soffice.py implements a process injection technique. It contains a C source code string (_SHIM_SOURCE) which it writes to a temporary file and compiles into a shared object (lo_socket_shim.so) using gcc at runtime. It then sets the LD_PRELOAD environment variable to inject this library into the LibreOffice (soffice) process. This shim overrides standard library functions like socket, listen, accept, and close to redirect AF_UNIX traffic to socketpairs, bypassing sandbox restrictions.
[COMMAND_EXECUTION]: The skill executes external system binaries using subprocess.run on paths derived from user input or configuration:
scripts/thumbnail.py and scripts/office/soffice.py execute soffice (LibreOffice) and pdftoppm (Poppler) for document rendering.
scripts/office/validators/redlining.py executes git to generate diffs for document validation.
[PROMPT_INJECTION]: The skill has a large attack surface for indirect prompt injection (Category 8).
Ingestion points: Processes untrusted Office documents (.pptx, .docx) that are unpacked in scripts/office/unpack.py and have their text content extracted via markitdown.
Boundary markers: Absent. Extracted XML and text data are handled without delimiters or security instructions to the agent to ignore embedded instructions.
Capability inventory: Powerful capabilities including arbitrary subprocess execution (git, soffice, pdftoppm), file system manipulation, and runtime code injection (LD_PRELOAD).
Sanitization: Absent. Extracted content is processed without filtering or escaping, relying on the agent's internal guardrails to manage potentially malicious embedded instructions.
[COMMAND_EXECUTION]: Deceptive metadata was identified in the skill folder. The LICENSE.txt file explicitly claims copyright by 'Anthropic, PBC (2025)', while the skill's metadata and author context identify the creator as 'intelli-train-ai'. This attempt to masquerade as a trusted vendor is a deceptive practice.

pptx