The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's core workflow relies on unpacking Office documents (.docx, .pptx, .xlsx) using Python's zipfile.ZipFile.extractall() method in ooxml/scripts/unpack.py and ooxml/scripts/validation/base.py. This implementation is vulnerable to ZipSlip attacks because it does not validate whether extracted filenames contain directory traversal sequences (e.g., ../../). A malicious archive could overwrite critical system configurations or scripts outside the target directory.
[PROMPT_INJECTION]: The instructions in SKILL.md (lines 51, 62, and 88) attempt to override standard agent tool behavior. The skill mandates that documentation files (docx-js.md and ooxml.md) must be read in their entirety and explicitly forbids the agent from using range-limited reads. This is a common technique to force the model to process large volumes of potentially instructions-laden text while bypassing tool-based efficiency and safety constraints.
[PROMPT_INJECTION]: There is a deceptive ownership conflict in the skill's metadata. The manifest identifies the author as microck, but the LICENSE.txt file claims copyright ownership by Anthropic, PBC. This discrepancy is a sign of potentially impersonated content designed to leverage the reputation of another organization.
[EXTERNAL_DOWNLOADS]: The skill requires several external system and language-specific dependencies to function, including pandoc, the docx NPM package, LibreOffice, and Poppler-utils. While these are well-known tools, they are required for the skill's primary operations and represent an external dependency chain.
[COMMAND_EXECUTION]: Several validation scripts (ooxml/scripts/pack.py and ooxml/scripts/validation/redlining.py) use subprocess.run to execute shell commands like soffice and git diff. While these are used for validation purposes, they process document-derived content and represent an execution surface that could be exploited if the underlying tools have vulnerabilities when processing malformed input.

docx