pptx
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The file
scripts/office/soffice.pycontains a hardcoded C source code shim that is written to a temporary file and compiled at runtime usinggcc. The resulting shared library is then injected into thesofficeprocess using theLD_PRELOADenvironment variable. This dynamic execution technique bypasses environment restrictions but is a high-risk pattern. - [COMMAND_EXECUTION]: The skill uses the
subprocessmodule to execute external binaries includinggccfor compilation,sofficefor PowerPoint conversion, andpdftoppmfor slide image generation. - [EXTERNAL_DOWNLOADS]: The skill performs several external downloads at runtime, including the installation of Python packages (
python-pptx,markitdown,Pillow,lxml) viapipand fetching remote images using therequestslibrary. - [DATA_EXFILTRATION]: Several scripts parse user-provided PowerPoint XML files using
lxml.etreeandxml.etree.ElementTree, which are susceptible to XML External Entity (XXE) attacks. This could potentially allow an attacker to read sensitive files if a malicious document is processed. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it unpacks and reads content from untrusted PPTX files without sanitization (ingestion point:
scripts/office/unpack.py, boundary markers: absent, capabilities: network/subprocess/S3-write, sanitization: absent). Additionally, instructions inSKILL.mddirect the agent to hardcode S3 URIs in scripts, which is a sub-optimal security practice.
Audit Metadata