The Agent Skills Directory

[PROMPT_INJECTION]: The SKILL.md file contains 'MANDATORY' instructions that attempt to override the AI agent's standard tool usage protocols. Specifically, it instructs the agent to 'NEVER set any range limits' when reading documentation files like docx-js.md and ooxml.md. This is a technique used to force the model to ingest large amounts of content, potentially bypassing standard constraints on context usage.
[COMMAND_EXECUTION]: The skill's toolkit executes shell commands via subprocess.run for document conversion (soffice) and comparison (git). While the implementation uses argument lists (which mitigates direct shell injection), it creates a dependency on external binaries being present and executable in the environment.
[INDIRECT_PROMPT_INJECTION]: The skill exhibits a vulnerability surface for XML External Entity (XXE) attacks when processing untrusted Office documents.
Ingestion points: Office documents (.docx, .pptx) are unpacked and parsed by multiple scripts in the ooxml/scripts/ directory.
Boundary markers: There are no explicit markers or instructions to ignore embedded XML commands during parsing.
Capability inventory: The toolkit possesses file-read, file-write, and subprocess execution capabilities across its Python scripts.
Sanitization: Sanitization is inconsistent. While the primary library (document.py) uses the secure defusedxml library, several core validation scripts (base.py, redlining.py) utilize standard xml.etree or lxml parsers, which are vulnerable to XXE by default if not specially configured.

docx