The Agent Skills Directory

COMMAND_EXECUTION (LOW): The script ooxml/scripts/pack.py uses subprocess.run to execute the soffice binary for document validation. While it passes arguments as a list to prevent shell injection, executing complex external binaries on untrusted document files involves risk if the binary itself has vulnerabilities.\n- REMOTE_CODE_EXECUTION (MEDIUM): In ooxml/scripts/unpack.py, the skill uses zipfile.ZipFile.extractall() on user-supplied Office documents. This is a known 'ZipSlip' vulnerability (directory traversal) that allows a maliciously crafted document to overwrite files outside the intended directory, potentially leading to execution if a script or configuration file is replaced.\n- DATA_EXFILTRATION (MEDIUM): The script ooxml/scripts/validation/docx.py uses lxml.etree.parse() to process XML content. Unlike other parts of the skill that use defusedxml, this implementation does not explicitly disable external entity resolution, making it potentially vulnerable to XML External Entity (XXE) attacks which can be used to read local files.\n- PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) as it processes untrusted data from external Office documents without sufficient sanitization or boundary markers.\n
Ingestion points: Untrusted data enters the skill via Office documents (.docx, .pptx, .xlsx) processed in ooxml/scripts/unpack.py and scripts/rearrange.py.\n
Boundary markers: Absent. The skill processes XML tags and text content directly without delimiters or instructions to the agent to ignore embedded commands.\n
Capability inventory: The skill possesses file write capabilities (extractall, Path.write_bytes) and executes external commands (soffice).\n
Sanitization: Inconsistent. While defusedxml is used in some scripts (pack.py, unpack.py), others use standard zipfile and lxml which lack inherent security filters for untrusted inputs.

pptx