Pptx
Warn
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's primary workflows rely on executing external system binaries and generating code at runtime.
- Several Python scripts (
Ooxml/Scripts/pack.py,Scripts/thumbnail.py) usesubprocess.runto executesoffice(LibreOffice) andpdftoppm(Poppler) for file conversion and thumbnail generation. - The
html2pptxworkflow explicitly instructs the agent to "Create and run a JavaScript file" to perform the conversion, which is a form of dynamic code generation and execution on the local machine. - [PROMPT_INJECTION]: The skill processes untrusted user-provided PowerPoint files and converts their contents to text or JSON for the agent to read. This creates a surface for indirect prompt injection attacks.
- The agent is instructed to "read the entire file" for extracted content and inventories, which could contain malicious instructions embedded in the presentation text intended to override the agent's behavior.
- Evidence includes the text extraction workflow using
markitdownand the text inventory extraction viaScripts/inventory.py. - [DATA_EXFILTRATION]: The skill instructs the agent to read a sensitive platform-specific configuration file located at
~/.claude/PAI/SKILL.mdbefore starting tasks. - While this is a platform feature (PAI context), instructing an agent to read files from a specific local path containing security rules and contact lists is a potential exposure risk if combined with network capabilities.
Audit Metadata