The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): Path Traversal (ZipSlip) vulnerability detected in ooxml/scripts/unpack.py.
Evidence: The script uses zipfile.ZipFile(input_file).extractall(output_path) without verifying that the file paths inside the ZIP archive are confined to the output_path. A malicious Office document could contain filenames like ../../etc/shadow or ../../scripts/malicious.py to overwrite arbitrary files on the system.
[COMMAND_EXECUTION] (MEDIUM): Subprocess execution of soffice (LibreOffice) in ooxml/scripts/pack.py.
Evidence: The validate_document function uses subprocess.run to call soffice --headless --convert-to html .... Executing a full office suite on potentially malicious, attacker-controlled OOXML files is risky due to the history of document-parsing vulnerabilities in LibreOffice.
[INDIRECT_PROMPT_INJECTION] (HIGH): High capability surface when processing untrusted external data.
Ingestion points: ooxml/scripts/unpack.py (via zipfile) and ooxml/scripts/validation/docx.py (via lxml.etree).
Boundary markers: None detected. The skill processes the raw XML structure of external documents without any sanitization of the logical content.
Capability inventory: File system write access via zipfile.extractall and Path.write_bytes; external process execution via subprocess.run (soffice).
Sanitization: While defusedxml is used in some files to mitigate XXE, it does not protect against the identified ZipSlip vulnerability or logical manipulation of the document structure that could trigger downstream agent misbehavior.
[CATEGORY 10: DYNAMIC EXECUTION] (LOW): Use of lxml for XML parsing in ooxml/scripts/validation/docx.py.
Evidence: lxml.etree.parse() is used to process the extracted document files. lxml is not secure against all XML-based attacks by default; although defusedxml is used elsewhere in the skill, its absence in the validation logic is a consistency risk.

docx