The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): Vulnerability to XML External Entity (XXE) attacks.
Evidence: In ooxml/scripts/validation/docx.py, the skill uses lxml.etree.parse() on XML files extracted from Office documents. By default, lxml may resolve external entities if not explicitly configured otherwise (e.g., resolve_entities=False). An attacker could provide a document containing malicious entities to read local files or perform Server-Side Request Forgery (SSRF).
[COMMAND_EXECUTION] (HIGH): Vulnerability to ZipSlip (Directory Traversal).
Evidence: In ooxml/scripts/unpack.py, the skill uses zipfile.ZipFile(input_file).extractall(output_path) without validating the filenames within the ZIP archive. A malicious document could contain files with paths like ../../tmp/evil.sh, allowing an attacker to overwrite arbitrary files on the system.
[COMMAND_EXECUTION] (MEDIUM): Unsafe execution of LibreOffice (soffice) on untrusted data.
Evidence: In ooxml/scripts/pack.py, the validate_document function runs subprocess.run(['soffice', '--headless', ...]) on the newly packed document. Processing untrusted, complex OOXML files with a massive application like LibreOffice exposes the system to potential exploitation of vulnerabilities in the office suite's document parsers.
[PROMPT_INJECTION] (HIGH): Significant Indirect Prompt Injection surface (Category 8).
Ingestion points: The ooxml/scripts/unpack.py script reads arbitrary .docx, .pptx, and .xlsx files provided by the user or an external source.
Boundary markers: Absent. The skill parses the raw XML content without using delimiters or instructions to ignore embedded commands.
Capability inventory: The skill has the ability to write to the file system, execute subprocesses (soffice), and perform complex XML manipulation.
Sanitization: Inconsistent. While defusedxml is used in some scripts, the validation logic reverts to lxml (unsafe), and the python-pptx library relies on internal parsers that may be exploitable.

pptx