office-pptx

Pass

Audited by Gen Agent Trust Hub on Jun 1, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted Office Open XML and HTML content provided by users, which creates a vulnerability surface where instructions embedded in the data could override agent behavior.
  • Ingestion points: Text extraction in scripts/inventory.py and HTML slide rendering in scripts/html2pptx.cjs.
  • Boundary markers: Absent. Processed content is interpolated into the agent context without explicit delimiters or warnings to ignore embedded instructions.
  • Capability inventory: The skill utilizes subprocess.run to execute system tools (soffice, pdftoppm, git) and generates local JavaScript files executed via deno run --allow-all.
  • Sanitization: The skill properly employs defusedxml in ooxml/scripts/pack.py and ooxml/scripts/unpack.py to mitigate XML-related attacks like XXE during document manipulation.
  • [COMMAND_EXECUTION]: Several components execute system utilities via shell commands to facilitate file conversion, rendering, and comparison.
  • Evidence: scripts/thumbnail.py executes soffice and pdftoppm for slide rendering.
  • Evidence: ooxml/scripts/validation/redlining.py executes git diff for comparing document versions.
  • Evidence: scripts/html2pptx.cjs spawns a Chromium process for HTML rendering.
  • [DYNAMIC_EXECUTION]: The workflow relies on the agent generating and executing JavaScript scripts at runtime using Deno with broad system permissions.
  • Evidence: SKILL.md instructs the agent to create a JavaScript file and execute it using deno run --allow-all to perform document assembly.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 1, 2026, 01:21 PM
Security Audit — agent-trust-hub — office-pptx