The Agent Skills Directory

COMMAND_EXECUTION (HIGH): Path Traversal (ZipSlip) vulnerability in ooxml/scripts/unpack.py and ooxml/scripts/validation/docx.py. The use of zipfile.ZipFile.extractall() without validating that archive members are within the target directory allows an attacker to write or overwrite files anywhere on the system (e.g., ../../.bashrc) by providing a malicious Office file.
DATA_EXFILTRATION (HIGH): XML External Entity (XXE) and XML Bomb vulnerability in ooxml/scripts/validation/docx.py. The script uses lxml.etree.parse() on XML content from untrusted documents without disabling entity resolution or DTD loading. This can be exploited to read local system files or cause a denial of service via recursive entity expansion.
COMMAND_EXECUTION (LOW): Use of subprocess.run to call soffice in ooxml/scripts/pack.py. While it avoids shell injection by using an argument list, it invokes a complex external binary on attacker-controlled content, which increases the attack surface.
PROMPT_INJECTION (LOW): Indirect Prompt Injection surface. The skill ingests untrusted data from Office documents (.docx, .pptx) and processes them through multiple scripts and external tools (soffice) without comprehensive sanitization (e.g., lxml usage in docx.py). Evidence: Ingestion points in unpack.py and validate.py; missing boundary markers in XML processing; capabilities include arbitrary file writing via ZipSlip and external command execution via soffice; sanitization is inconsistent as defusedxml is used in some scripts but dangerous lxml defaults are used in others.

pptx