The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: Runtime compilation and process injection. The script scripts/office/soffice.py contains embedded C source code designed to shim system socket calls. It uses gcc to compile this source into a shared object at runtime and injects it into the soffice process via the LD_PRELOAD environment variable, allowing it to intercept and modify low-level networking behavior.
[COMMAND_EXECUTION]: Execution of high-risk system commands. The skill makes extensive use of subprocess.run to invoke system binaries including gcc, soffice, git, and pdftoppm. These calls provide a powerful execution environment that could be exploited if input handling is flawed.
[EXTERNAL_DOWNLOADS]: Remote data fetching. Documentation in pptxgenjs.md describes functionality to fetch images from arbitrary external URLs to embed them in slides, which involves making outbound network requests to non-whitelisted domains.
[PROMPT_INJECTION]: Indirect prompt injection vulnerability surface. Ingestion points: User-provided Office documents are ingested via scripts/office/unpack.py and scripts/office/validate.py. Boundary markers: Absent; the skill instructions do not specify any delimiters or warnings to ignore instructions found within document content. Capability inventory: The skill has significant capabilities including arbitrary file system write access, network fetching, and execution of system binaries like gcc and soffice. Sanitization: Inconsistent. While some parts of the skill use defusedxml to mitigate XML attacks, other components like scripts/office/validators/redlining.py and scripts/office/helpers/simplify_redlines.py use standard xml.etree or lxml libraries which are susceptible to XML entity expansion attacks.

pptx