powerpoint-automation
Pass
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Several scripts utilize shell commands to perform legitimate automation tasks. For instance, 'resume_workflow.py' uses 'subprocess.run' with 'shell=True' to invoke the Windows 'start' command for opening generated presentations. 'create_from_template.py' and 'pptx-signature.js' execute 'git remote' to retrieve repository metadata for attribution signatures in speaker notes. These are functional components of the automation workflow and rely on sanitized internal path variables.
- [EXTERNAL_DOWNLOADS]: The generation pipeline, specifically in 'create_from_template.py', 'create_ja_pptx.py', and 'create_pptx.js', includes logic to download image files from remote URLs. This is used to embed visual content from web sources or user-provided links directly into the slides. This behavior is documented and expected for the skill's purpose.
- [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection as it ingests untrusted data from URLs and external PowerPoint files. * Ingestion points: 'classify_input.py' and 'extract_images.py' fetch content from remote URLs and input files referenced in the workflow. * Boundary markers: Not explicitly enforced in the intermediate JSON representation (content.json), although documentation emphasizes manual verification steps in the PLAN phase. * Capability inventory: The skill has capabilities for file system writes, network requests, and shell command execution across various Python and Node.js scripts. * Sanitization: 'validate_content.py' performs structural schema validation on ingested data, though it does not specifically filter for natural language instructions intended to influence agent behavior.
Audit Metadata