The Agent Skills Directory

COMMAND_EXECUTION (LOW): The script ooxml/scripts/pack.py invokes the soffice (LibreOffice) binary to perform document validation.
Evidence: subprocess.run(["soffice", "--headless", "--convert-to", ...]) in pack.py.
While it avoids shell execution by using a list of arguments, the dependency on a local Office suite introduces a large attack surface relative to the document conversion process.
DATA_EXFILTRATION (MEDIUM): Potential XML External Entity (XXE) vulnerability in validation logic.
Evidence: lxml.etree.parse(str(xml_file)) in ooxml/scripts/validation/docx.py (multiple occurrences).
Unlike the defusedxml implementation used elsewhere in the skill, standard lxml parsing of untrusted XML files can be configured to resolve external entities, potentially leading to local file disclosure if a crafted OOXML component is processed.
PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection through the processing of untrusted Office documents.
Ingestion points: ooxml/scripts/unpack.py (line 15) extracts files from user-supplied Office documents.
Boundary markers: None. The skill parses raw XML components without wrapping content in protective delimiters or safety instructions for the agent.
Capability inventory: File system write access via zipfile.extractall, command execution via soffice, and file reads for validation.
Sanitization: Inconsistent. While defusedxml is used for some operations, the core validation logic uses lxml without explicit hardening, and the extraction logic lacks path sanitization.
UNSAFE_FILE_OPERATIONS (MEDIUM): Directory traversal (Zip Slip) vulnerability in the unpacking utility.
Evidence: zipfile.ZipFile(input_file).extractall(output_path) in ooxml/scripts/unpack.py (line 15).
The extractall method does not validate that member paths remain within the output_path. A malicious ZIP/OOXML file containing entries with ../ sequences could overwrite sensitive files on the agent's filesystem.

docx