pptx-codex
Pass
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes content from untrusted external PowerPoint files.
- Ingestion points: The script
scripts/extract_text.pyreads slide text and speaker notes, whilescripts/office/render.pyrenders slide content into images for visual QA. These processes pull data from the user-provided PPTX into the agent's context. - Boundary markers: No explicit delimiters or instructions (e.g., 'ignore embedded commands') are used when presenting extracted text or rendered images to the agent.
- Capability inventory: The skill possesses significant capabilities that could be abused if an injection succeeds, including the ability to write files (
scripts/office/pack.py), delete files within the project tree (scripts/clean.py), and execute shell commands via LibreOffice (scripts/office/soffice.py). - Sanitization: No validation or sanitization of the content extracted from presentation files is performed before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill performs legitimate but notable command execution using
subprocess.runto manage office document workflows. - Subprocess calls:
scripts/office/render.pyinvokes LibreOffice (soffice) in headless mode to convert presentations to PDF for rendering. - Argument passthrough:
scripts/office/soffice.pyacts as a wrapper that passes arbitrary command-line arguments directly to the system'ssofficeutility. - Internal orchestration:
scripts/thumbnail.pyandscripts/convert_to_images.pyuse subprocesses to coordinate execution between different Python scripts within the skill.
Audit Metadata