The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/office/soffice.py implements a runtime compilation pattern where C source code is written to a temporary file and compiled into a shared library using gcc. This library is then injected into the LibreOffice (soffice) process via the LD_PRELOAD environment variable. This is a powerful and high-risk technique for manipulating process behavior at runtime.
[COMMAND_EXECUTION]: Several scripts (soffice.py, thumbnail.py, redlining.py) utilize the subprocess module to execute system binaries, including gcc, soffice, pdftoppm, and git. Executing external tools based on parameters derived from document processing is an inherently risky pattern if inputs are not strictly controlled.
[COMMAND_EXECUTION]: The fix_pptx.py script logic described in pptxgenjs.md uses zipfile.extractall() on temporary directories. This operation is vulnerable to path traversal attacks (ZipSlip) if the script is executed on a malicious PowerPoint file containing filenames with ../ segments, potentially allowing files to be written outside the intended extraction path.
[PROMPT_INJECTION]: The skill exhibits a significant attack surface for indirect prompt injection. It processes untrusted documents provided by users and extracts content using tools like markitdown.
Ingestion points: Untrusted data enters the agent context via scripts/office/unpack.py and text extraction tools.
Boundary markers: Instructions in SKILL.md and documentation lack delimiters or explicit warnings to ignore instructions embedded within the extracted document content when processing it with subagents.
Capability inventory: The skill has broad capabilities, including system command execution, file system modification, and runtime code compilation, which could be abused if an injection is successful.
Sanitization: While the scripts handle XML structural repairs, they do not include logic to sanitize or filter natural language instructions extracted from document text runs.

pptx