The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): The script ooxml/scripts/pack.py executes the soffice (LibreOffice) binary via subprocess.run to validate documents. Processing untrusted files through a complex external binary increases the attack surface, as vulnerabilities in the office suite could be exploited by a crafted document.
[REMOTE_CODE_EXECUTION] (MEDIUM): In ooxml/scripts/validation/docx.py, the skill uses lxml.etree.parse() on XML files without explicit protection against XML External Entity (XXE) attacks (e.g., resolve_entities=False). While defusedxml is used elsewhere, this specific instance on unpacked document content could allow an attacker to read local files or perform server-side request forgery (SSRF) if the XML is maliciously crafted.
[INDIRECT_PROMPT_INJECTION] (MEDIUM): This skill is designed to process external content (Office documents) and has the capability to write and execute commands based on that content.
Ingestion points: ooxml/scripts/unpack.py and scripts/rearrange.py read content from zip-compressed Office files.
Boundary markers: Absent; there are no delimiters or instructions to ignore embedded content during the processing of document XML.
Capability inventory: File writing (zipfile, xml_file.write_bytes) and subprocess execution (soffice).
Sanitization: Inconsistent; defusedxml is used in some scripts, but raw lxml is used in others.

pptx