The Agent Skills Directory

[SAFE]: The skill consistently uses the defusedxml library for XML parsing across its Python components (document.py, unpack.py, pack.py, and utilities.py), which effectively mitigates the risk of XML External Entity (XXE) attacks.
[SAFE]: Command execution via subprocess.run in ooxml/scripts/pack.py and ooxml/scripts/validation/redlining.py is implemented using argument lists rather than shell strings, preventing shell injection vulnerabilities.
[SAFE]: The skill's external dependencies are restricted to established and reputable tools, including pandoc, LibreOffice (soffice), and poppler-utils (pdftoppm).
[PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection because it processes untrusted data from .docx files.
Ingestion points: Document content is converted to markdown using pandoc or extracted as raw XML using ooxml/scripts/unpack.py and scripts/utilities.py.
Boundary markers: There are no explicit delimiters to isolate document text from the agent's internal instructions.
Capability inventory: The skill allows for file system writes and the execution of document processing commands.
Sanitization: While structural security is maintained by defusedxml, the natural language content is not sanitized for potential instructions. However, this risk is inherent to the primary purpose of a document processing utility.

docx