Skills
skills/guangtouwangba/weaver/pptx/Gen Agent Trust Hub

pptx

Fail

Audited by Gen Agent Trust Hub on Feb 19, 2026

Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): Vulnerability to Path Traversal (ZipSlip) during document extraction.
  • Evidence:
  • ooxml/scripts/unpack.py: The script uses zipfile.ZipFile(input_file).extractall(output_path) to unpack OOXML files.
  • ooxml/scripts/validation/docx.py: The count_paragraphs_in_original method uses zip_ref.extractall(temp_dir).
  • Description: These methods do not validate that archive members stay within the intended target directory. A malicious document containing files with relative paths (e.g., ../../.ssh/authorized_keys) could overwrite sensitive files on the host system when processed by the agent.
  • [COMMAND_EXECUTION] (MEDIUM): XML External Entity (XXE) vulnerability surface.
  • Evidence:
  • ooxml/scripts/validation/docx.py: Uses lxml.etree.parse(str(xml_file)) multiple times (lines 77, 124, 157, 177) without disabling external entity resolution.
  • Description: While other parts of the skill use defusedxml, the validation logic for Word documents uses the standard lxml parser on XML files extracted from untrusted documents. This could be exploited to read local files or perform Server-Side Request Forgery (SSRF) if the agent processes a malicious document.
  • [COMMAND_EXECUTION] (LOW): Subprocess execution of external binaries.
  • Evidence:
  • ooxml/scripts/pack.py: Calls subprocess.run(["soffice", ...]) to perform document validation.
  • Description: Although it uses a list of arguments and avoids a shell, it introduces a dependency on the system-installed LibreOffice binary (soffice), which might have its own attack surface when processing malformed documents.
  • [PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface (Category 8).
  • Ingestion points: ooxml/scripts/unpack.py and scripts/rearrange.py read content from external Office documents.
  • Boundary markers: Absent. The scripts extract raw XML/text without adding protective delimiters or instruction-ignore headers.
  • Capability inventory: The skill can write files (zipfile, shutil), execute subprocesses (soffice), and modify presentation structures.
  • Sanitization: Absent. Content is processed and written back to disk without sanitization.
  • Description: If an agent uses these tools to read document content and subsequently follows instructions found within that content, it is vulnerable to indirect prompt injection.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 19, 2026, 03:55 PM