pptx
Warn
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Runtime compilation and process injection.\n
- The script
scripts/office/soffice.pydynamically writes C source code to a temporary file, compiles it usinggcc, and uses theLD_PRELOADenvironment variable to inject the resulting shared library into the LibreOffice (soffice) process.\n - This mechanism is used to bypass environment restrictions on Unix domain sockets in sandboxed environments but employs patterns typical of advanced process manipulation.\n- [COMMAND_EXECUTION]: Execution of system tools via subprocess.\n
- Multiple scripts (
scripts/thumbnail.py,scripts/office/soffice.py,scripts/office/validators/redlining.py) invoke external binaries includingsoffice,pdftoppm, andgit diffusingsubprocess.run().\n- [PROMPT_INJECTION]: Indirect prompt injection surface.\n - Ingestion points: Untrusted content is extracted from
.pptxfiles inscripts/thumbnail.pyandscripts/office/unpack.py.\n - Boundary markers: The skill instructions do not explicitly mandate the use of delimiters or isolation warnings for extracted content.\n
- Capability inventory: The agent has access to
subprocess.run(viasoffice.pyandthumbnail.py) and broad file system modification permissions.\n - Sanitization: Content is parsed using
defusedxml, but text content is not sanitized or filtered against embedded AI instructions, allowing for potential hijacking of the agent's logic.
Audit Metadata