presentation
Warn
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a shell script at
scripts/create-presentation.sh, which in turn invokes themarpcommand-line utility to transform Markdown into presentation formats. - [DATA_EXFILTRATION]: The script
scripts/create-presentation.shaccepts a user-provided file path as the$INPUTargument and reads its entire content without validation. This allow an attacker to point the script to sensitive files (e.g.,~/.ssh/configor.envfiles), which are then incorporated into the presentation workflow. - [DATA_EXFILTRATION]: The
marpcommand is executed with the--allow-local-filesflag. In the absence of input sanitization, this configuration allows the Markdown engine to access and embed local system resources into the generated PDF, HTML, or PPTX output, facilitating the exfiltration of local data. - [DATA_EXFILTRATION]: The script allows the user to specify an arbitrary output path via the
$OUTPUTargument. Without proper validation or restricted permissions, this could be used to overwrite existing files on the user's system.
Audit Metadata