The Agent Skills Directory

Dynamic Execution (MEDIUM): The validation logic in ooxml/scripts/validation/docx.py uses lxml.etree.parse() to process XML content extracted from Office documents without explicit hardening.
Evidence: root = lxml.etree.parse(str(xml_file)).getroot() in multiple methods including validate_whitespace_preservation and validate_deletions.
Risk: Standard lxml is susceptible to XML External Entity (XXE) attacks. While the skill uses the safe defusedxml library in pack.py and unpack.py, its omission in the validation script creates a vulnerability where a malicious document could be used to read local files or perform SSRF.
COMMAND_EXECUTION (MEDIUM): The script ooxml/scripts/pack.py uses subprocess.run to execute the soffice (LibreOffice) command-line tool.
Evidence: The validate_document function calls subprocess.run(["soffice", "--headless", "--convert-to", filter_name, ...]).
Risk: Passing user-influenced document paths and contents to a complex external binary like LibreOffice carries risk if the binary contains unpatched vulnerabilities in its parsing or conversion engines.
Indirect Prompt Injection (LOW): The skill processes untrusted Office documents (.docx, .pptx) which serves as an attack surface for indirect prompt injection.
Ingestion points: ooxml/scripts/unpack.py (extracts external zip content) and scripts/rearrange.py (reads PPTX files).
Boundary markers: Absent. There are no markers or instructions to the agent to ignore instructions embedded within the document data.
Capability inventory: The skill can read/write files, extract ZIP archives, and execute shell commands (soffice).
Sanitization: Inconsistent. While defusedxml is used for formatting, the validation logic (docx.py) lacks sanitization for XML entities.

pptx