The Agent Skills Directory

Dynamic Execution (MEDIUM): The file scripts/office/soffice.py performs runtime compilation of a C shim (lo_socket_shim.c) using gcc and applies it via LD_PRELOAD. While this is intended to bypass socket restrictions in sandboxed environments for LibreOffice (soffice), runtime compilation and process injection are high-risk techniques. The severity is lowered to MEDIUM as it is central to the skill's primary purpose of slide rendering.
Unverifiable Dependencies (MEDIUM): The skill relies on several external binaries and packages including LibreOffice, Poppler (pdftoppm), gcc, and pptxgenjs. While standard, the use of gcc to build and execute arbitrary C code at runtime increases the potential for exploitation if the compilation source were to be tampered with.
Indirect Prompt Injection (LOW): The skill is designed to ingest and process external PPTX files via markitdown and custom XML parsing. This creates a significant surface for indirect prompt injection where malicious instructions embedded in slide content could influence the agent's behavior during analysis or visual QA loops.
Ingestion points: scripts/office/unpack.py and markitdown (via SKILL.md instructions).
Boundary markers: Absent. The agent is encouraged to analyze the content directly.
Capability inventory: subprocess.run (executing soffice, pdftoppm, gcc), file system write access via pathlib, and ZIP manipulation.
Sanitization: The skill correctly uses defusedxml to mitigate XML external entity (XXE) attacks.
Metadata Poisoning (LOW): The description field in SKILL.md contains a confusing string (QUERY LENGTH LIMIT EXCEEDED...), which may be a remnant of a failed generation or a misleading indicator, though it does not pose a direct security threat.

pptx