pptx
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: High-risk technical workaround in
scripts/office/soffice.py. The script writes C source code to a temporary file, compiles it into a shared library usinggcc, and then injects it into the LibreOffice (soffice) process via theLD_PRELOADenvironment variable. This is used to shim AF_UNIX sockets in restricted virtual environments but represents a significant security surface. - [COMMAND_EXECUTION]: Frequent use of the
subprocessmodule to execute system-level commands includinggcc,soffice,pdftoppm, andgitacrossscripts/office/soffice.py,scripts/thumbnail.py,scripts/office/pack.py, andscripts/office/validators/redlining.py. - [EXTERNAL_DOWNLOADS]: The documentation in
pptxgenjs.mdexplicitly supports and provides examples for fetching remote images via URLs (e.g.,https://example.com/image.jpg) during the slide generation process. - [PROMPT_INJECTION]: High vulnerability surface for Indirect Prompt Injection. The skill ingests untrusted data from
.pptxfiles (unzipped and parsed as XML inunpack.py) and recommends using subagents to process this content. - Ingestion points:
scripts/office/unpack.pyandscripts/add_slide.pyextract and manipulate raw XML from user-provided Office files. - Boundary markers: None detected in scripts; the logic interpolates extracted XML content directly into processing flows.
- Capability inventory: The skill has broad capabilities including arbitrary file system access, network downloads (via
pptxgenjs), and subprocess execution (soffice,gcc). - Sanitization: The skill correctly uses
defusedxmlto mitigate XML External Entity (XXE) attacks, but does not sanitize the natural language content within the XML that is later processed by the AI agent.
Audit Metadata