The Agent Skills Directory

[Privilege Escalation] (HIGH): The skill explicitly instructs the agent to use sudo apt-get install for multiple dependencies (pandoc, libreoffice, poppler-utils). Prompting an agent to execute commands with root privileges is a major security risk.
[Indirect Prompt Injection] (HIGH): The skill processes untrusted external files (.docx) and provides the agent with capabilities to execute shell commands and run generated scripts based on the content of those files.
Ingestion points: .docx files via pandoc and python ooxml/scripts/unpack.py.
Boundary markers: None identified in the instructions for separating document content from agent instructions.
Capability inventory: Execution of pandoc, soffice, pdftoppm, and custom Python/JavaScript scripts.
Sanitization: While defusedxml is listed as a dependency, there is no evidence of sanitization for the text content extracted from documents before it is processed by the agent.
[Dynamic Execution] (HIGH): The workflow for editing documents involves the agent creating and running custom Python and JavaScript/TypeScript scripts at runtime. This allows for arbitrary code execution if the logic is influenced by malicious document content.
[Prompt Injection] (MEDIUM): The skill contains repeated instructions to 'NEVER set any range limits' when reading documentation files, which is an attempt to bypass standard agent constraints or context management safety features.
[External Downloads] (LOW): The skill requires installing several external packages via apt, npm, and pip. While these are from standard repositories, the requirement to install them at runtime increases the attack surface.

docx