The Agent Skills Directory

[COMMAND_EXECUTION]: Several scripts in the skill execute system commands via the subprocess.run interface to perform document processing tasks.
scripts/thumbnail.py invokes soffice (LibreOffice) and pdftoppm (Poppler) to generate slide previews.
scripts/office/soffice.py calls gcc to compile a shared library shim at runtime.
scripts/office/validators/redlining.py executes git diff to compare text content between document versions.
[REMOTE_CODE_EXECUTION]: The script scripts/office/soffice.py implements a dynamic execution pattern by writing embedded C source code to a temporary file, compiling it using gcc, and then loading the resulting shared object via the LD_PRELOAD environment variable. While this is used as a compatibility layer to emulate Unix sockets for LibreOffice in sandboxed environments, the generation and injection of binary code at runtime is a high-risk mechanism.
[PROMPT_INJECTION]: The skill ingests untrusted PowerPoint files and their internal XML components, creating a surface for indirect prompt injection.
Ingestion points: Untrusted presentation data entering via markitdown and custom XML manipulation scripts (unpack.py, clean.py).
Boundary markers: Absent; there are no explicit delimiters or warnings to ignore instructions embedded within the processed document content.
Capability inventory: The skill possesses extensive capabilities, including arbitrary command execution (subprocess.run), local file writing (pack.py, add_slide.py), and system call shimming (soffice.py).
Sanitization: The skill uses defusedxml for XML parsing, which successfully mitigates XML External Entity (XXE) attacks, but does not sanitize extracted natural language content before it reaches the agent's context.
[EXTERNAL_DOWNLOADS]: The skill documentation and SKILL.md specify the installation of several external dependencies from public registries.
Python packages: markitdown[pptx], Pillow.
Node.js packages: pptxgenjs, react-icons, react, react-dom, sharp.

pptx