The Agent Skills Directory

[COMMAND_EXECUTION] (LOW): In ooxml/scripts/pack.py, the validate_document function uses subprocess.run to execute the soffice (LibreOffice) binary for document validation. While it passes arguments as a list to prevent shell injection, it relies on the security and presence of an external system binary.- [REMOTE_CODE_EXECUTION] (LOW): The script ooxml/scripts/unpack.py uses zipfile.ZipFile.extractall() on user-provided Office documents. This method is susceptible to 'Zip Slip' (directory traversal) if a malicious document contains filenames with ../ sequences, potentially allowing files to be written to arbitrary locations on the filesystem.- [SAFE] (LOW): In ooxml/scripts/validation/docx.py, the lxml.etree library is used to parse XML files extracted from the document. Unlike the defusedxml usage in other files, this parsing does not explicitly disable entity resolution, which could pose an XXE risk if the unpacking logic were bypassed or if the environment's lxml defaults are insecure.- [SAFE] (SAFE): The skill correctly implements the defusedxml library in ooxml/scripts/pack.py and ooxml/scripts/unpack.py to securely handle XML data, which is a critical protection when dealing with Office formats.

pptx