pptx
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): Path Traversal (ZipSlip) vulnerability in file extraction. Evidence:
zipfile.ZipFile(input_file).extractall(output_path)inooxml/scripts/unpack.pyandzip_ref.extractall(temp_dir)inooxml/scripts/validation/docx.py. These calls lack path validation, enabling an attacker to overwrite files outside the target directory using../sequences in a malicious ZIP archive. - [COMMAND_EXECUTION] (MEDIUM): Execution of external binary on untrusted input. Evidence:
ooxml/scripts/pack.pyusessubprocess.run(["soffice", ...])to convert documents. This exposes the agent to vulnerabilities in LibreOffice's document parsing engine. - [REMOTE_CODE_EXECUTION] (MEDIUM): Potentially unsafe XML parsing in
ooxml/scripts/validation/docx.py. Evidence:lxml.etree.parse(str(xml_file))is used without explicit hardening against XML External Entity (XXE) attacks, unlike other scripts in the skill that usedefusedxml. - [PROMPT_INJECTION] (HIGH): Significant Indirect Prompt Injection surface (Category 8). 1. Ingestion points:
ooxml/scripts/unpack.pyandooxml/scripts/validate.py(processes untrusted.docx,.pptx,.xlsxfiles). 2. Boundary markers: Absent; the skill processes raw XML content from external files without delimiters or instructions to ignore embedded commands. 3. Capability inventory:subprocess.run(soffice),zipfile.extractall(file write), and multiple file modification operations acrossrearrange.pyandpack.py. 4. Sanitization: Incomplete; while some XML parsing usesdefusedxml, the extraction process lacks path sanitization and core validation logic indocx.pyuses standard lxml.
Recommendations
- AI detected serious security threats
Audit Metadata