The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is designed to ingest and manipulate untrusted external data (.docx files), creating a significant attack surface for indirect prompt injection where a document could contain hidden instructions that override the agent's behavior.
Ingestion points: scripts/render_docx.py (line 46) and python-docx (referenced in SKILL.md workflow) read external document content into the agent context.
Boundary markers: The instructions do not specify any delimiters or safety warnings to distinguish between document content and agent instructions.
Capability inventory: The skill executes system commands via subprocess.run (to soffice and pdftoppm) and performs file system modifications.
Sanitization: No sanitization or filtering of the document content is performed before processing.
[Dynamic Execution] (MEDIUM): Unsafe XML parsing in scripts/render_docx.py.
Evidence: Line 52 uses xml.etree.ElementTree.fromstring() to parse word/document.xml. This library is vulnerable to XML External Entity (XXE) attacks, which could allow an attacker to read local files or perform SSRF if a malicious DOCX is processed.
[Command Execution] (LOW): Runtime execution of system tools.
Evidence: scripts/render_docx.py (lines 122, 142) uses subprocess.run to call soffice and pdftoppm. While the arguments are largely structured, the input file paths are dynamic, and the use of libreoffice in headless mode provides a large attack surface for document-based exploits.

doc