pptx
Warn
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill frequently executes external system commands using the
subprocessmodule to perform core tasks. Evidence:scripts/thumbnail.pyrunspdftoppmto convert PDF slides into images;scripts/office/validators/redlining.pyusesgit diffto perform comparisons;scripts/office/soffice.pyexecutes the system compiler (gcc) and LibreOffice (soffice). - [REMOTE_CODE_EXECUTION]: The script
scripts/office/soffice.pyemploys a dynamic code generation and injection pattern. It writes an embedded C source string to a temporary file (lo_socket_shim.c) and compiles it into a shared library usinggccat runtime. It then uses theLD_PRELOADenvironment variable to inject this library into thesofficeprocess to modify its behavior regarding Unix sockets. While intended for environment compatibility, this mechanism bypasses standard execution constraints and represents a significant security capability. - [EXTERNAL_DOWNLOADS]: Documentation in
SKILL.mdandpptxgenjs.mdguides users to install multiple external packages from public package registries. Requirements includepptxgenjs,markitdown[pptx],react-icons,react,react-dom, andsharp. - [PROMPT_INJECTION]: The skill is designed to ingest and parse untrusted content from PowerPoint files, creating a surface for indirect prompt injection. Ingestion points: Presentation content is extracted via
markitdownand raw XML unpacking (scripts/office/unpack.py). Boundary markers: Extracted content is processed without clear delimiters or instructions to the AI to ignore embedded commands. Capability inventory: The skill has broad capabilities, including arbitrary file writes, command execution, and runtime code compilation, which increases the potential impact. Sanitization: There is no evidence of filtering or sanitizing the text extracted from presentations before it enters the agent context.
Audit Metadata