office-pptx
Pass
Audited by Gen Agent Trust Hub on Jun 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted Office Open XML and HTML content provided by users, which creates a vulnerability surface where instructions embedded in the data could override agent behavior.
- Ingestion points: Text extraction in
scripts/inventory.pyand HTML slide rendering inscripts/html2pptx.cjs. - Boundary markers: Absent. Processed content is interpolated into the agent context without explicit delimiters or warnings to ignore embedded instructions.
- Capability inventory: The skill utilizes
subprocess.runto execute system tools (soffice,pdftoppm,git) and generates local JavaScript files executed viadeno run --allow-all. - Sanitization: The skill properly employs
defusedxmlinooxml/scripts/pack.pyandooxml/scripts/unpack.pyto mitigate XML-related attacks like XXE during document manipulation. - [COMMAND_EXECUTION]: Several components execute system utilities via shell commands to facilitate file conversion, rendering, and comparison.
- Evidence:
scripts/thumbnail.pyexecutessofficeandpdftoppmfor slide rendering. - Evidence:
ooxml/scripts/validation/redlining.pyexecutesgit difffor comparing document versions. - Evidence:
scripts/html2pptx.cjsspawns a Chromium process for HTML rendering. - [DYNAMIC_EXECUTION]: The workflow relies on the agent generating and executing JavaScript scripts at runtime using Deno with broad system permissions.
- Evidence:
SKILL.mdinstructs the agent to create a JavaScript file and execute it usingdeno run --allow-allto perform document assembly.
Audit Metadata