codeck-export
Warn
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill performs dynamic code generation and compilation at runtime.
- In
pptx/scripts/office/soffice.py, the_ensure_shimfunction writes an embedded C source string to a file in the temporary directory and compiles it into a shared library usinggccviasubprocess.run. - The script uses the
LD_PRELOADenvironment variable to inject this library into thesoffice(LibreOffice) process to modify its system call behavior for networking. - [EXTERNAL_DOWNLOADS]: The skill fetches external software binaries during execution.
SKILL.mdcontains instructions for the agent to runnpx playwright install chromium, which downloads browser binaries from a remote repository managed by Microsoft.- [COMMAND_EXECUTION]: The skill executes multiple system-level utilities and shell scripts.
pptx/scripts/office/soffice.pyexecutesgccfor compilation.pptx/scripts/thumbnail.pyandpptx/scripts/office/soffice.pyinvokesofficeandpdftoppm.pptx/scripts/office/validators/redlining.pyusesgit difffor document comparison.SKILL.mdruns a shell scriptstatus.shto check project state.- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection through the processing of untrusted project data.
- Ingestion points:
SKILL.mdreads project-specific HTML files (*-r*.html) to perform conversions and visual QA. - Boundary markers: The instructions do not define delimiters for the HTML content or provide warnings to ignore instructions embedded within the processed deck files.
- Capability inventory: The skill has broad capabilities including file system access, network-adjacent browser execution via Playwright, and shell command execution.
- Sanitization: No evidence of sanitization or filtering of the HTML content is present before it is rendered by Playwright or inspected by the agent.
Audit Metadata