kingdee-ppt

This module is primarily an HTML-to-PPTX converter, not an overtly malicious package. However, it is security-relevant because it renders caller-provided local HTML via file:// in a headless browser, extracts image/background paths from that content, and passes resulting (largely unconstrained) filesystem paths directly into the PowerPoint image/background loader. Additionally, it logs browser console output from the rendered page, which can expose sensitive information if attacker-controlled HTML executes scripts. In a threat model where htmlFile/HTML content or referenced asset paths are not fully trusted, the security risk is moderate and should be reviewed with the downstream presentation/media library’s path-handling behavior in mind.

SUSPICIOUS. The skill’s purpose is coherent, but its execution trust is not: it runs an unverified global `kingdee-ppt` binary with no confirmed same-org publisher evidence, which is disproportionate supply-chain risk for a presentation skill. Optional Vercel deployment and CDN asset loading are plausible but add third-party data flow outside Kingdee.