pptx
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Dynamic Execution] (MEDIUM): The script
scripts/office/soffice.pydynamically generates and compiles C code at runtime. It writes a shim to a temporary location and usesgccto compile it into a shared object (.so). This library is then injected into thesofficeprocess via theLD_PRELOADenvironment variable. While this is a sophisticated technical solution for enabling LibreOffice in restricted environments, runtime compilation and library injection are high-risk behaviors. The severity is set to MEDIUM because this logic is a core part of the primary skill purpose for handling office documents. - [Indirect Prompt Injection] (LOW): The skill is designed to extract and process content from user-provided
.pptxfiles, which creates a vulnerability to indirect prompt injection. - Ingestion points: Untrusted data enters the agent context via
markitdownas seen inSKILL.mdandediting.md(e.g.,python -m markitdown presentation.pptx). - Boundary markers: The instructions do not define clear boundary markers or provide the agent with specific warnings to ignore instructions embedded within the extracted presentation text.
- Capability inventory: The skill has broad capabilities, including subprocess execution (
gcc,soffice,pdftoppm,git) and file system manipulation (scripts/clean.pyunlinks files). - Sanitization: The skill mitigates XML-related risks (like XXE) by consistently using the
defusedxmllibrary for parsing throughout its scripts.
Audit Metadata