The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: Runtime compilation and process injection.
Evidence: In scripts/office/soffice.py, the skill defines a C source string (_SHIM_SOURCE) that implements a socket shim. The _ensure_shim function writes this source to a temporary file and compiles it into a shared object using gcc. The resulting library is then dynamically loaded into the LibreOffice (soffice) process via the LD_PRELOAD environment variable. This is an aggressive technique used to modify the behavior of system calls at runtime.
[COMMAND_EXECUTION]: Execution of system binaries via subprocess.
Evidence: Multiple utility scripts (soffice.py, thumbnail.py, pack.py, validate.py) invoke external command-line tools including gcc, soffice, git, and pdftoppm. These calls are made using subprocess.run with parameters that can include user-provided file paths.
[PROMPT_INJECTION]: Indirect prompt injection surface via document processing.
Evidence: The skill ingests untrusted data from external Office documents which creates a surface for indirect prompt injection.
Ingestion points: XML content is extracted from user-provided .pptx, .docx, and .xlsx files in scripts/office/unpack.py and via the markitdown dependency.
Boundary markers: The skill does not use explicit delimiters or "ignore instructions" warnings when presenting extracted text to the agent.
Capability inventory: The skill possesses extensive capabilities across its scripts, including arbitrary file writes, file deletions (scripts/clean.py), and process execution (scripts/office/soffice.py).
Sanitization: While the skill uses defusedxml to mitigate XML-based attacks (XXE), there is no sanitization or escaping of the natural language content extracted from the documents before it is processed by the AI agent.

pptx