Skills
skills/zlanqing/codex-claude-academic-skills/office-academic-skill/Gen Agent Trust Hub

office-academic-skill

Pass

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill exclusively uses the defusedxml library for all XML parsing and manipulation tasks in Python, effectively preventing XML External Entity (XXE) and Billion Laughs vulnerabilities.
  • [COMMAND_EXECUTION]: Local shell commands are invoked via subprocess.run to leverage existing document tools including LibreOffice (soffice) for validation, pdftoppm for thumbnail generation, and git for diffing tracked changes. These commands are executed without a shell (shell=False) and use validated internal paths.
  • [SAFE]: JavaScript logic in html2pptx.js uses Playwright to process local HTML files for slide layout generation, restricted to the local environment via the file:// protocol.
  • [SAFE]: No prompt injection attempts, hardcoded credentials, or data exfiltration patterns were detected in the skill's instructions or supporting scripts.
Audit Metadata
Risk Level
SAFE
Analyzed
May 15, 2026, 01:00 PM
Security Audit — agent-trust-hub — office-academic-skill