ppt-tts-script
Warn
Audited by Gen Agent Trust Hub on Jun 21, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill recommends the installation of an external package via NPM with a confusing name:
@anthropic-ai/gemini-cli. As Gemini is a Google product and Anthropic is a different entity, this mismatch is a significant red flag for potential supply chain attacks or malicious package redirection. - Evidence found in
README.mdandscripts/check_deps.py. - [COMMAND_EXECUTION]: The skill makes extensive use of shell command execution through various methods:
scripts/extract_ppt.pyusesos.system()to invoke system utilities likewhich.scripts/check_deps.pyusessubprocess.run()to execute commands and check versions.scripts/gemini-task.shis a shell script wrapper that executes thegeminicommand with user-supplied arguments, which can be a vector for command injection if inputs are not properly sanitized.- [DYNAMIC_EXECUTION]: The script
scripts/check_deps.pyuses the__import__()function to dynamically load Python modules at runtime. While used for dependency checking, dynamic imports can be used to execute arbitrary code if module names are manipulated. - [INDIRECT_PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection by processing untrusted data from PPTX and PDF files.
- Ingestion points: Raw text extracted from user-provided presentation files in Step 1 (
01_materials/slide-XX.md). - Boundary markers: The prompt templates in
references/manuscript-generator.mduse headers but lack strong delimiters or explicit instructions to the AI to ignore embedded commands within the slide content. - Capability inventory: The agent has the ability to execute shell commands (
os.system,subprocess) and call external APIs via the Gemini CLI. - Sanitization: There is no evidence of sanitization or filtering of the extracted text before it is interpolated into the prompt for script generation.
Audit Metadata