The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface by processing external data (templates and replacement JSON) with high-privilege capabilities.
Ingestion points: Processes template.pptx and replacements.json via Deno scripts.
Boundary markers: No boundary markers or 'ignore' instructions are defined for the processed content.
Capability inventory: Uses deno run with --allow-read and --allow-write flags, granting the skill ability to read and modify any file the user has access to.
Sanitization: The provided JSON schema and documentation do not show evidence of path sanitization or restriction to a specific workspace, allowing potential path traversal attacks.
Data Exposure & Exfiltration (HIGH): The ImageOptions and PresentationSpec schemas allow for a path property to be specified for images and templates.
Evidence: In assets/slide-spec-schema.json, the path property for images is a raw string. In references/template-workflow.md, the workflow encourages passing arbitrary file paths to Deno scripts.
Risk: An attacker could provide paths to sensitive local files (e.g., ~/.ssh/id_rsa or /etc/passwd) to be read by the script and potentially embedded into a generated presentation or exfiltrated if the script logic allows.
Command Execution (MEDIUM): The documentation in references/template-workflow.md explicitly provides shell commands for the agent to execute.
Evidence: Multiple instances of deno run --allow-read --allow-write scripts/... are provided as standard workflow steps.
Risk: While these are intended for the skill's functionality, they provide a template for local command execution that could be exploited if the agent is tricked into modifying the arguments (e.g., adding --allow-net or changing the script path).

pptx-generator