The Agent Skills Directory

Data Exposure & Exfiltration (HIGH): The file ooxml/scripts/unpack.py uses zipfile.ZipFile.extractall(), which is vulnerable to ZipSlip. A malicious .docx file with crafted filenames (e.g., ../../etc/passwd) can write data to arbitrary locations on the host system.
Privilege Escalation (HIGH): The SKILL.md instructions direct the agent to execute sudo apt-get install commands. This represents an attempt to perform high-privilege operations that can compromise system integrity.
Dynamic Execution (MEDIUM): The skill's primary workflow requires the agent to 'Create and run JavaScript/TypeScript file' and 'Create and run Python script'. Since these scripts are generated dynamically by the agent based on user-provided documents, it facilitates a Remote Code Execution (RCE) vector via Indirect Prompt Injection.
Command Execution (MEDIUM): The ooxml/scripts/pack.py script and SKILL.md use subprocess.run and shell commands (soffice, pdftoppm, pandoc) with parameters derived from external filenames, which could lead to command injection if not properly sanitized.
Prompt Injection (LOW): SKILL.md uses coercive directives such as 'MUST
FULLY READ FILE' and 'DO NOT set any range limits'. These instructions are designed to override the agent's standard behavior for summarization and context management.
Indirect Prompt Injection (LOW): The skill processes untrusted .docx files and converts them to markdown or XML. Malicious instructions embedded in these files could influence the agent during the redlining or script generation phases (Category 8).

docx