pptx
Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes external binaries to perform document conversion and validation tasks.
- Multiple scripts (
scripts/thumbnail.py,ooxml/scripts/pack.py,ooxml/scripts/validation/redlining.py) usesubprocess.run()to executesoffice(LibreOffice),pdftoppm(Poppler), andgit. - These commands are implemented using argument lists rather than shell strings, which follows security best practices to prevent command injection.
- [EXTERNAL_DOWNLOADS]: The skill requires several standard third-party libraries for its operations.
- Python dependencies include
markitdown,python-pptx,defusedxml,lxml, andPillow. - Node.js dependencies include
pptxgenjs,playwright, andsharp. - These are well-known packages from established registries (PyPI and NPM) used for their intended purposes.
- [PROMPT_INJECTION]: The skill processes external
.pptxfiles, creating a surface for indirect prompt injection. - Ingestion points: Untrusted text is extracted from slides in
scripts/inventory.pyandscripts/rearrange.pyand provided to the agent context. - Boundary markers: The instructions do not specify the use of clear delimiters (e.g., XML tags or specific markdown blocks) to isolate content extracted from presentations from the agent's instructions.
- Capability inventory: The skill has the ability to execute system commands via
subprocess.runand write files to the local workspace. - Sanitization: While the skill uses
defusedxmlto protect against XML-based attacks (like XXE) during parsing, it does not include specific sanitization or filtering for the natural language text extracted from slides to prevent potential instruction override.
Audit Metadata