repurpose-deck-from-reference
Warn
Audited by Gen Agent Trust Hub on Jun 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The file references/com-and-xml-pitfalls.md contains a Python snippet that uses exec() to run the content of a local script (rebuild_deck.py) after dynamically injecting code into it. This technique is inherently risky as it allows for the execution of code that may be influenced by external data collected during the research phase.
- [COMMAND_EXECUTION]: The workflow described in references/com-and-xml-pitfalls.md includes PowerShell commands to forcibly terminate processes like POWERPNT and FileCoAuth. Forcibly terminating processes can lead to unexpected data loss and is a high-privilege operation.
- [DATA_EXFILTRATION]: The skill implements a screenshot capture mechanism using PrintWindow in references/screenshot-mask-pattern.md. While the skill includes instructions for masking Personally Identifiable Information (PII), the capability to capture the full contents of a window presents a significant data exposure risk if the masking logic fails or is not applied correctly.
- [PROMPT_INJECTION]: The skill fetches content from external URLs via web_fetch which is then used to build decks that are subsequently reviewed and critiqued by a sub-agent. This pipeline creates a surface for indirect prompt injection. 1. Ingestion points: Research phase fetches content from external documentation and repositories via web_fetch. 2. Boundary markers: No specific delimiters or warnings are used to segregate external data from instructions. 3. Capability inventory: File system writes (PPTX), command execution (Python/PowerShell), and network access (web_fetch). 4. Sanitization: Detailed masking instructions are provided for images, but no sanitization or validation is applied to ingested text data.
Audit Metadata