The Agent Skills Directory

[COMMAND_EXECUTION]: The skill invokes system tools to perform document operations. ooxml/scripts/pack.py executes soffice for file conversion and validation, and ooxml/scripts/validation/redlining.py uses git for diffing.
[REMOTE_CODE_EXECUTION]: The file ooxml/scripts/unpack.py uses zipfile.extractall() without path validation. This vulnerability, known as Zip Slip, allows a malicious archive to write files outside the target directory, potentially allowing an attacker to achieve code execution by overwriting configuration or startup scripts.
[EXTERNAL_DOWNLOADS]: The SKILL.md file lists several third-party dependencies for the user to install, including pandoc, libreoffice, poppler-utils, and the docx npm library.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It processes untrusted document content which can contain malicious instructions. The analysis chain is as follows: (1) Ingestion point: ooxml/scripts/unpack.py and pandoc commands; (2) Boundary markers: Absent; (3) Capabilities: Subprocess execution and file system writes; (4) Sanitization: Structural parsing via defusedxml is present, but no content filtering for natural language instructions.
[PROMPT_INJECTION]: Deceptive authorship information is present; the LICENSE.txt file identifies the owner as 'Anthropic, PBC', which contradicts the provided author name 'cat-xierluo'.
[SAFE]: The skill employs defusedxml for XML parsing, providing protection against standard XML-based attacks like entity expansion.

docx