The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted external content (.docx files) by converting them to Markdown for agent consumption.
Ingestion points: pandoc --track-changes=all path-to-file.docx -o output.md and XML extraction from word/document.xml.
Boundary markers: None. Content is treated as raw data for the agent to 'read and analyze'.
Capability inventory: File writing (doc.save()), arbitrary command execution (pandoc, soffice, pdftoppm), and XML parsing.
Sanitization: While defusedxml is listed to prevent XXE, there is no sanitization of the natural language content extracted from documents, allowing an attacker to embed instructions that override agent behavior.
Command Execution (MEDIUM): The skill relies heavily on spawning subprocesses to run system binaries like pandoc, soffice (LibreOffice), and pdftoppm. If document filenames or parameters are not strictly sanitized, this presents a command injection risk.
Unverifiable Local Scripts & Logic (MEDIUM): The skill references local scripts (ooxml/scripts/unpack.py and pack.py) and documentation (ooxml.md) not provided in the snippet. The process of unpacking OOXML (which are ZIP files) is a common vector for 'Zip Slip' path traversal attacks if the extraction script does not validate target paths.

docx