The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The script scripts/office/soffice.py implements a dynamic execution pattern involving runtime compilation and process injection.
It contains embedded C source code for a socket shim designed to bypass environment-specific socket restrictions.
It writes this source to a temporary file and executes gcc to compile it into a shared library (.so) at runtime.
It then uses the LD_PRELOAD environment variable to load this library into the soffice (LibreOffice) process. While this behavior is documented as a workaround for sandboxing issues, runtime compilation and injection into other processes are high-risk patterns.
[COMMAND_EXECUTION]: Multiple Python scripts execute external shell commands via the subprocess module to perform document processing tasks.
scripts/office/soffice.py executes gcc and soffice.
scripts/accept_changes.py executes soffice to clean tracked changes.
scripts/office/validators/redlining.py executes git diff to perform word-level comparisons between documents.
[DATA_EXFILTRATION]: The skill processes untrusted document data, creating a vulnerability surface for data exposure and indirect instruction injection.
Ingestion points: Untrusted data enters the context from Word documents via scripts/office/unpack.py and various document validators.
Boundary markers: The processing logic lacks explicit markers to differentiate between document content and agent instructions.
Capability inventory: The skill has broad capabilities including file system access, subprocess execution, and runtime code generation.
Sanitization: While some components utilize defusedxml, several others like scripts/office/validators/redlining.py and scripts/office/helpers/simplify_redlines.py use the standard xml.etree.ElementTree library, which is vulnerable to XML External Entity (XXE) attacks. This could potentially allow a maliciously crafted document to read sensitive local files during the validation or simplification steps.

docx