The Agent Skills Directory

Dynamic Execution (HIGH): The skill performs runtime compilation of C source code and uses library injection techniques to intercept system calls.
Evidence: scripts/office/soffice.py contains a C source string (_SHIM_SOURCE) that is written to /tmp/lo_socket_shim.c and compiled at runtime using gcc -shared -fPIC via _ensure_shim().
Evidence: The compiled shared object is injected into the soffice (LibreOffice) process using the LD_PRELOAD environment variable in get_soffice_env().
Context: While intended to bypass AF_UNIX socket restrictions in sandboxed environments, runtime compilation and injection are high-risk patterns typically associated with evasion.
Indirect Prompt Injection (HIGH): The skill processes untrusted external data (Office documents) and has high-privilege capabilities (file modification, command execution).
Ingestion points: scripts/office/unpack.py (extracts ZIP archives); scripts/office/validators/redlining.py (parses extracted XML content).
Boundary markers: None found. There are no clear delimiters or instructions to the agent to treat document content as untrusted data rather than instructions.
Capability inventory: subprocess.run calls to gcc, git, and soffice (via scripts/office/soffice.py, scripts/office/validators/redlining.py, and scripts/accept_changes.py).
Sanitization: While defusedxml is used in some modules, scripts/office/validators/pptx.py uses lxml.etree and scripts/office/validators/redlining.py uses xml.etree.ElementTree without explicit security hardening against entities or complex XML structures.
Unverifiable Dependencies & Remote Code Execution (MEDIUM): The skill invokes several external system binaries whose integrity and configuration are not verified.
Evidence: Subprocess calls in scripts/office/soffice.py (gcc), scripts/accept_changes.py (soffice), and scripts/office/validators/redlining.py (git diff).

docx