The Agent Skills Directory

[Arbitrary File Write / Zip Slip] (HIGH): The files ooxml/scripts/unpack.py and ooxml/scripts/validation/docx.py use zipfile.ZipFile.extractall() on input Office documents without validating that the filenames within the archive are safe. An attacker can create a .docx or .pptx file containing filenames with path traversal sequences (e.g., ../../.ssh/authorized_keys) to overwrite sensitive files when the agent processes the document.
[XML External Entity (XXE) Vulnerability] (MEDIUM): The file ooxml/scripts/validation/docx.py uses lxml.etree.parse() to process XML components of the Office documents. By default, lxml may resolve external entities. If an attacker provides a document with a malicious XML structure, they could potentially read local files or perform server-side request forgery (SSRF). Note that defusedxml is correctly used in other parts of the skill (pack.py, unpack.py), but not here.
[Subprocess Execution] (MEDIUM): The file ooxml/scripts/pack.py executes the soffice (LibreOffice) binary via subprocess.run. While used for legitimate validation, invoking a heavyweight office suite on untrusted input increases the attack surface for memory corruption or other vulnerabilities.
[Indirect Prompt Injection Surface] (LOW): The skill is designed to ingest and process external Office documents, which are a common vector for indirect prompt injection. \n 1. Ingestion points: unpack.py, rearrange.py read external files.\n 2. Boundary markers: None found; the LLM context is exposed to raw document contents.\n 3. Capability inventory: File writing (pack.py), Subprocess execution (pack.py).\n 4. Sanitization: Uses defusedxml for some operations, but lacks general input sanitization for LLM interpolation.

pptx