The Agent Skills Directory

REMOTE_CODE_EXECUTION (HIGH): The file ooxml/scripts/unpack.py and the validation logic in ooxml/scripts/validation/docx.py are vulnerable to 'Zip Slip' attacks. They use zipfile.extractall() without validating that the archive's file paths remain within the target directory, allowing a malicious document to overwrite sensitive system files (e.g., shell profiles) to achieve code execution.\n
Evidence: zipfile.ZipFile(input_file).extractall(output_path) in ooxml/scripts/unpack.py and zip_ref.extractall(temp_dir) in ooxml/scripts/validation/docx.py.\n- DATA_EXFILTRATION (MEDIUM): The validation logic in ooxml/scripts/validation/docx.py uses lxml.etree.parse without explicitly disabling external entity resolution. This creates a surface for XML External Entity (XXE) attacks, which can be used to read local files if a malicious document is processed.\n
Evidence: Multiple instances of lxml.etree.parse(str(xml_file)) in ooxml/scripts/validation/docx.py.\n- COMMAND_EXECUTION (LOW): The skill invokes the soffice (LibreOffice) binary via a subprocess to perform document validation. While the implementation uses a list-based argument structure to prevent shell injection, it introduces a dependency on external executable software.\n
Evidence: subprocess.run(["soffice", "--headless", ...]) in ooxml/scripts/pack.py.\n- PROMPT_INJECTION (LOW): The skill processes untrusted Office documents (DOCX, PPTX, XLSX) which serves as an ingestion point for indirect prompt injection.\n
Ingestion points: ooxml/scripts/unpack.py and ooxml/scripts/validation/docx.py.\n
Boundary markers: None present.\n
Capability inventory: Unrestricted file system write access via extractall, subprocess execution via soffice.\n
Sanitization: Inconsistent; defusedxml is used in some formatting scripts, but the core validation logic uses standard lxml without security hardening.

docx