Skills
skills/iofficeai/officecli/morph-ppt-3d/Gen Agent Trust Hub

morph-ppt-3d

Pass

Audited by Gen Agent Trust Hub on Apr 13, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: Uses curl, python3, cp, and officecli to automate the discovery of 3D assets and the construction of presentation files.\n- [EXTERNAL_DOWNLOADS]: Fetches search metadata and GLB model files from well-known services including Sketchfab, Poly Pizza, and official Khronos Group repositories.\n- [REMOTE_CODE_EXECUTION]: Employs a shell pipe to pass JSON data from the Sketchfab API directly to a local Python interpreter. While the syntax resembles remote code execution patterns, the Python script is a static, non-malicious JSON parser defined within the skill itself, and the data source is a well-known service.\n- [PROMPT_INJECTION]: The skill is exposed to potential indirect prompt injection by processing external data from 3D model search results.\n
  • Ingestion points: External metadata from Sketchfab and Poly Pizza APIs (SKILL.md).\n
  • Boundary markers: None identified.\n
  • Capability inventory: File system modification via cp and officecli, and command execution via curl and python3.\n
  • Sanitization: No validation or escaping is applied to the retrieved search results.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 13, 2026, 02:01 PM