The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill implements a self-update mechanism in scripts/apply_update.py and scripts/check_update.py. These scripts fetch updates from github.com/GordenSun/GordenPPTSkill.git. The apply_update.py script specifically downloads and overwrites local files, including Python scripts within the skill's own scripts/ directory. This behavior allows for remote code updates which, while intended for functionality, could be leveraged to execute arbitrary code if the remote repository or transit path is compromised.
[COMMAND_EXECUTION]: Multiple scripts utilize the subprocess module to execute system commands:
scripts/apply_update.py and scripts/check_update.py execute git clone, git checkout, and git lfs pull to manage file updates.
scripts/render_slides.py executes soffice (LibreOffice) for PDF conversion and pdftoppm (poppler) for image rendering.
[EXTERNAL_DOWNLOADS]: The skill uses urllib.request.urlopen in scripts/apply_update.py and scripts/check_update.py to download files and JSON metadata from external sources. While the primary source is the author's own GitHub repository, this facilitates the transfer of remote data into the local environment.
[INDIRECT_PROMPT_INJECTION]: The skill possesses a data ingestion surface where user-supplied text from edits.json is interpolated into PowerPoint files via scripts/build_pptx.py. Although the primary capability is writing to .pptx files, the skill also includes rendering capabilities using soffice via scripts/render_slides.py, which processes the generated files. There is no explicit sanitization of the user-provided text before it is inserted into the presentation structure.

gorden-ppt-skill