The Agent Skills Directory

[COMMAND_EXECUTION]: The skill extensively utilizes subprocess.run to execute system binaries including soffice (LibreOffice), pandoc, pdftoppm, and gcc. These executions often use file paths and parameters derived from user input.
[REMOTE_CODE_EXECUTION]: As part of its environment configuration, scripts/office/soffice.py contains a hardcoded C source string which is written to a temporary file and compiled at runtime using gcc. The resulting shared library is then injected into the soffice process using the LD_PRELOAD environment variable. Additionally, scripts/accept_changes.py generates and executes LibreOffice Basic macros at runtime.
[EXTERNAL_DOWNLOADS]: The SKILL.md documentation provides instructions for the user to install the docx package globally via the official NPM registry.
[PROMPT_INJECTION]: The skill presents a significant surface for indirect prompt injection attacks. 1. Ingestion points: scripts/office/unpack.py and pandoc extract content from untrusted Word documents provided by users. 2. Boundary markers: The skill does not employ delimiters or instructions to isolate ingested content from agent commands. 3. Capability inventory: The skill has high-privilege capabilities including file system access, sub-process execution, and runtime code compilation. 4. Sanitization: While defusedxml is used to mitigate XML-based attacks, there is no sanitization of the natural language content extracted from the documents.

docx