pptx
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes several external command-line utilities using
subprocess.run, includingsoffice(LibreOffice),pdftoppm,git, andgcc. These are used for document conversion, visual QA, and building the compatibility shim. - [REMOTE_CODE_EXECUTION]: In
scripts/office/soffice.py, the skill generates a C source file from an internal string, compiles it into a shared library usinggcc, and then applies it viaLD_PRELOADto thesofficesubprocess. While intended to resolve sandbox socket limitations, this runtime code generation and injection pattern represents high-privilege behavior that allows for system-level hooking. - [EXTERNAL_DOWNLOADS]: The documentation for the
pptxgenjstool (referenced inpptxgenjs.md) indicates that the system can be configured to fetch assets like images from arbitrary external URLs during the slide generation process. - [PROMPT_INJECTION]: The skill exhibits a vulnerability surface for indirect prompt injection by ingesting and processing untrusted
.pptxand.docxfiles. The logic extracts text content from XML structures which may then be used by the agent without sufficient sanitization. 1. Ingestion points: Untrusted Office documents are extracted and read usingunpack.pyandmarkitdownmodules. 2. Boundary markers: The processing logic does not employ delimiters or instructions to ignore embedded commands within the extracted document content. 3. Capability inventory: Includes file system modification, subprocess execution (soffice,gcc), and network requests for external assets. 4. Sanitization: No explicit sanitization or filtering logic was found to handle potentially malicious instructions embedded in the document text nodes before they are returned to the agent context.
Audit Metadata