Skills
skills/beltonk/oracle-pptx-skill/oracle-pptx/Gen Agent Trust Hub

oracle-pptx

Warn

Audited by Gen Agent Trust Hub on Apr 30, 2026

Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: Arbitrary command execution risk via unsanitized file path interpolation in shell commands.\n
  • The JavaScript module scripts/image-gen/validate-image.mjs contains the validateImageFile function, which supports an optional contentCheck shell hook.\n
  • This function performs a simple string replacement of {path} with an image file path and executes the resulting string using node:child_process spawnSync with shell: true. This allows for command injection if an image path contains shell metacharacters such as backticks or semicolons.\n- [COMMAND_EXECUTION]: Insecure shell execution in the Python validation harness.\n
  • The Python script scripts/validate/ensure_raster_image.py implements a matching content_check feature that similarly uses subprocess.run(cmd, shell=True) to execute commands with interpolated paths.\n- [COMMAND_EXECUTION]: Execution of system binaries for document processing.\n
  • The skill programmatically invokes external system tools, including soffice (LibreOffice) and pdftoppm (poppler-utils), to perform document conversion and rasterization.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 30, 2026, 07:56 AM