skills/danielmiessler/lifeos/Pptx/Gen Agent Trust Hub

Pptx

Warn

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill's primary workflows rely on executing external system binaries and generating code at runtime.
  • Several Python scripts (Ooxml/Scripts/pack.py, Scripts/thumbnail.py) use subprocess.run to execute soffice (LibreOffice) and pdftoppm (Poppler) for file conversion and thumbnail generation.
  • The html2pptx workflow explicitly instructs the agent to "Create and run a JavaScript file" to perform the conversion, which is a form of dynamic code generation and execution on the local machine.
  • [PROMPT_INJECTION]: The skill processes untrusted user-provided PowerPoint files and converts their contents to text or JSON for the agent to read. This creates a surface for indirect prompt injection attacks.
  • The agent is instructed to "read the entire file" for extracted content and inventories, which could contain malicious instructions embedded in the presentation text intended to override the agent's behavior.
  • Evidence includes the text extraction workflow using markitdown and the text inventory extraction via Scripts/inventory.py.
  • [DATA_EXFILTRATION]: The skill instructs the agent to read a sensitive platform-specific configuration file located at ~/.claude/PAI/SKILL.md before starting tasks.
  • While this is a platform feature (PAI context), instructing an agent to read files from a specific local path containing security rules and contact lists is a potential exposure risk if combined with network capabilities.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 30, 2026, 03:33 PM
Security Audit — agent-trust-hub — Pptx