keynote
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The main utility script "scripts/keynote_tool.py" executes system commands using the "subprocess" module to interface with "osascript" and "pdftoppm". While these are legitimate uses for automating Keynote and rendering slides, they represent an execution surface for system-level operations.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it extracts and processes text content from external Keynote (.key) files without sufficient boundary protection.
- Ingestion points: Text items and presenter notes are extracted in "scripts/keynote_tool.py" through the "inspect", "dump-text", and "get-notes" commands.
- Boundary markers: Absent. The extracted content is provided to the agent without markers or instructions to ignore potential commands embedded in the data.
- Capability inventory: The skill has the ability to read and write files, as well as execute AppleScript commands via "osascript" which can manipulate the host system.
- Sanitization: While the script performs string escaping to prevent AppleScript injection, it does not sanitize the extracted text for malicious natural language instructions.
Audit Metadata