powerpoint-automation

Pass

Audited by Gen Agent Trust Hub on May 17, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: Several scripts utilize shell commands to perform legitimate automation tasks. For instance, 'resume_workflow.py' uses 'subprocess.run' with 'shell=True' to invoke the Windows 'start' command for opening generated presentations. 'create_from_template.py' and 'pptx-signature.js' execute 'git remote' to retrieve repository metadata for attribution signatures in speaker notes. These are functional components of the automation workflow and rely on sanitized internal path variables.
  • [EXTERNAL_DOWNLOADS]: The generation pipeline, specifically in 'create_from_template.py', 'create_ja_pptx.py', and 'create_pptx.js', includes logic to download image files from remote URLs. This is used to embed visual content from web sources or user-provided links directly into the slides. This behavior is documented and expected for the skill's purpose.
  • [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection as it ingests untrusted data from URLs and external PowerPoint files. * Ingestion points: 'classify_input.py' and 'extract_images.py' fetch content from remote URLs and input files referenced in the workflow. * Boundary markers: Not explicitly enforced in the intermediate JSON representation (content.json), although documentation emphasizes manual verification steps in the PLAN phase. * Capability inventory: The skill has capabilities for file system writes, network requests, and shell command execution across various Python and Node.js scripts. * Sanitization: 'validate_content.py' performs structural schema validation on ingested data, though it does not specifically filter for natural language instructions intended to influence agent behavior.
Audit Metadata
Risk Level
SAFE
Analyzed
May 17, 2026, 10:54 AM
Security Audit — agent-trust-hub — powerpoint-automation