The Agent Skills Directory

[PROMPT_INJECTION]: The skill contains explicit instructions meant to bypass standard agent behaviors for context management. In SKILL.md, directives such as 'MANDATORY
READ ENTIRE FILE' and 'NEVER set any range limits when reading this file' are used multiple times to force the agent to ignore internal optimizations or tool usage constraints during its operational loop.
[COMMAND_EXECUTION]: The skill relies on system-level binaries to perform file conversions and rendering. Scripts like ooxml/scripts/pack.py and scripts/thumbnail.py utilize subprocess.run to call soffice (LibreOffice) and pdftoppm. While the use of list-style arguments mitigates shell injection risks, this capability remains a surface for exploitation if user-provided file paths or metadata are not properly sanitized before being passed to external tools.
[INDIRECT_PROMPT_INJECTION]: The skill possesses a broad surface for indirect injection attacks due to its core functionality.
Ingestion points: Untrusted PowerPoint content is extracted into XML and text formats via ooxml/scripts/unpack.py and scripts/inventory.py.
Boundary markers: There are no defined boundary markers or instructions for the agent to treat extracted presentation content as untrusted data.
Capability inventory: The skill allows for significant system impact through command execution and file system modifications.
Sanitization: The XML parsing logic in ooxml/scripts/validation/base.py and other scripts uses lxml and minidom without explicitly disabling DTD resolution or entity expansion, which may leave the system vulnerable to XML External Entity (XXE) attacks from malicious presentations.

PowerPoint Suite