pptx

Pass

Audited by Gen Agent Trust Hub on Jun 14, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill invokes external binaries to perform document conversion and validation tasks.
  • Multiple scripts (scripts/thumbnail.py, ooxml/scripts/pack.py, ooxml/scripts/validation/redlining.py) use subprocess.run() to execute soffice (LibreOffice), pdftoppm (Poppler), and git.
  • These commands are implemented using argument lists rather than shell strings, which follows security best practices to prevent command injection.
  • [EXTERNAL_DOWNLOADS]: The skill requires several standard third-party libraries for its operations.
  • Python dependencies include markitdown, python-pptx, defusedxml, lxml, and Pillow.
  • Node.js dependencies include pptxgenjs, playwright, and sharp.
  • These are well-known packages from established registries (PyPI and NPM) used for their intended purposes.
  • [PROMPT_INJECTION]: The skill processes external .pptx files, creating a surface for indirect prompt injection.
  • Ingestion points: Untrusted text is extracted from slides in scripts/inventory.py and scripts/rearrange.py and provided to the agent context.
  • Boundary markers: The instructions do not specify the use of clear delimiters (e.g., XML tags or specific markdown blocks) to isolate content extracted from presentations from the agent's instructions.
  • Capability inventory: The skill has the ability to execute system commands via subprocess.run and write files to the local workspace.
  • Sanitization: While the skill uses defusedxml to protect against XML-based attacks (like XXE) during parsing, it does not include specific sanitization or filtering for the natural language text extracted from slides to prevent potential instruction override.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 14, 2026, 06:40 AM
Security Audit — agent-trust-hub — pptx