pptx
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION] (MEDIUM): Unsafe XML parsing with
lxml. Theooxml/scripts/validation/docx.pyfile useslxml.etree.parse()to process document components. Without explicitly settingresolve_entities=False, the parser is vulnerable to XML External Entity (XXE) attacks, which can be leveraged to read sensitive local files or perform server-side request forgery (SSRF). - [COMMAND_EXECUTION] (LOW): Risk of arbitrary file write via Zip Slip. In
ooxml/scripts/unpack.pyandooxml/scripts/validation/docx.py, the skill useszipfile.ZipFile.extractall()on user-provided Office documents. This pattern is dangerous when handling untrusted archives, as it can potentially overwrite files outside the target directory in environments with older Python versions or misconfigured permissions. - [COMMAND_EXECUTION] (LOW): Execution of complex external binary. The
ooxml/scripts/pack.pyscript executes thesoffice(LibreOffice) binary viasubprocess.runto validate documents. Calling heavy external office suites on untrusted files increases the attack surface, as document parsers are common targets for memory corruption exploits. - [PROMPT_INJECTION] (LOW): Surface for Indirect Prompt Injection. The skill processes external OOXML data that could contain malicious instructions designed to exploit the aforementioned vulnerabilities or influence the agent's behavior.
- Ingestion points:
ooxml/scripts/unpack.pyandooxml/scripts/validation/docx.py(reads external .docx, .pptx, and .xlsx files). - Boundary markers: Absent. The skill does not implement delimiters or warnings to isolate processed content from the agent's instruction context.
- Capability inventory: File system write access (
zipfile,Path.write_bytes), Subprocess execution (soffice). - Sanitization: Inconsistent. While
defusedxmlis used for some operations inpack.py, the validation logic indocx.pyrelies on the less securelxmlparser.
Audit Metadata