The Agent Skills Directory

DATA_EXFILTRATION (HIGH): The script ooxml/scripts/unpack.py is vulnerable to a Zip Slip (path traversal) attack. It uses zipfile.ZipFile.extractall() on input files without validating that the archived file paths remain within the target directory. A malicious .docx file containing entries with path traversal sequences (e.g., ../../.bashrc) could overwrite arbitrary files on the host system when processed by the agent.
PROMPT_INJECTION (LOW): The SKILL.md file uses steering instructions ('MANDATORY
READ ENTIRE FILE', 'NEVER set any range limits') designed to override the agent's default behavior regarding document consumption. This pattern of instruction injection is used to bypass potential range-limiting or truncation filters.
COMMAND_EXECUTION (LOW): The ooxml/scripts/pack.py utility executes the soffice binary via subprocess.run to perform document validation. While it avoids shell injection by passing arguments as a list, it still facilitates the execution of local software based on untrusted input files.
EXTERNAL_DOWNLOADS (LOW): The skill documentation provides commands to install various external dependencies (pandoc, libreoffice, poppler-utils, docx, defusedxml) from public software repositories, which introduces a dependency on external, third-party infrastructure.
INDIRECT_PROMPT_INJECTION (LOW): The skill is designed to ingest and process untrusted Word documents that may contain malicious instructions (Category 8). \n
Ingestion points: Markdown text converted via pandoc and raw XML files (word/document.xml) are read by the agent. \n
Boundary markers: Absent. There are no instructions for the agent to treat document content as untrusted data. \n
Capability inventory: The skill possesses file system write capabilities (pack.py) and command execution via soffice. \n
Sanitization: Absent. Document content is passed to the agent without filtering or escaping.

docx