The Agent Skills Directory

[COMMAND_EXECUTION]: The skill frequently uses subprocess.run and child_process.spawn to execute external system utilities, which increases the attack surface when processing untrusted files:
soffice (LibreOffice) is used to convert PPTX files to PDF and HTML.
pdftoppm (Poppler) is used to convert PDF pages into slide images.
git is invoked to perform word-level diffs during redlining validation.
chromium (via Playwright) is used to render HTML slide content.
[COMMAND_EXECUTION]: Logic in ooxml/scripts/unpack.py and ooxml/scripts/validation/base.py uses zipfile.ZipFile.extractall() on user-provided Office documents. This method is vulnerable to 'ZipSlip' attacks, where a malicious archive contains filenames with directory traversal sequences (e.g., ../../) that can overwrite or create files outside the intended directory.
[EXTERNAL_DOWNLOADS]: The skill depends on a broad set of Node.js and Python packages, as well as a browser binary (Chromium) and system tools (LibreOffice, Poppler). While these originate from well-known sources, they represent a significant supply chain and dependency surface.
[PROMPT_INJECTION]: The skill has a high vulnerability surface for Indirect Prompt Injection. It ingests untrusted Office documents and converts them to text formats (Markdown, JSON) for agent analysis without sanitization or boundary markers.
Ingestion points: ooxml/scripts/unpack.py, scripts/inventory.py, and markitdown usage.
Boundary markers: Absent; the skill interpolates raw extracted text into the agent's context.
Capability inventory: The skill has extensive file system write access and can execute arbitrary shell commands via the converted presentation content.
Sanitization: Uses defusedxml to protect against XML External Entity (XXE) attacks, which is a positive mitigation.

office-pptx