The Agent Skills Directory

PROMPT_INJECTION (HIGH): The SKILL.md file contains explicit instructions to override the agent's standard operating procedures, such as 'NEVER set any range limits when reading this file.' This is a behavior override attempt targeting the agent's tool usage (e.g., read_file range constraints).
INDIRECT_PROMPT_INJECTION (HIGH): The skill processes untrusted .docx files by extracting text and XML for agent consumption. There are no boundary markers or sanitization procedures for the extracted content, allowing an attacker to embed malicious instructions within a document that the agent may follow upon reading (Category 8).
COMMAND_EXECUTION (HIGH): The skill relies on subprocess.run to execute system binaries like soffice and pdftoppm. It also explicitly instructs the agent to generate and execute its own Python and JavaScript code for document manipulation, creating a high-privilege execution environment.
EXTERNAL_DOWNLOADS (LOW): The skill instructs the user to install several external dependencies (pandoc, libreoffice, poppler-utils, docx). While these are from generally trusted repositories, they expand the attack surface of the host environment.
DATA_EXPOSURE (MEDIUM): ooxml/scripts/unpack.py uses zipfile.extractall(), which may be vulnerable to Path Traversal (ZipSlip) if the input document contains malicious filenames like ../../target. While defusedxml is used to mitigate XXE, file-level extraction risks remain.

docx