pptx
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill presents a large attack surface for indirect prompt injection.
- Ingestion points: The
ooxml/scripts/unpack.pyandooxml/scripts/validation/docx.pyscripts read XML data directly from user-provided Office files. - Boundary markers: No boundary markers or clear instructions are implemented to distinguish document content from agent instructions.
- Capability inventory: The skill can execute system commands (
sofficeinpack.py), write files to the local disk, and delete files (output_file.unlink()inpack.py). - Sanitization: While
defusedxmlis used for formatting, it is not consistently applied to the validation logic, and document content is not sanitized before being returned to the agent context. - [COMMAND_EXECUTION] (MEDIUM): In
ooxml/scripts/pack.py, thevalidate_documentfunction executes thesoffice(LibreOffice) binary viasubprocess.run. Invoking complex external applications on untrusted inputs can expose the host system to vulnerabilities present in the office suite. - [DATA_EXFILTRATION] (HIGH): The script
ooxml/scripts/validation/docx.pyuseslxml.etree.parseto evaluate XML files. By default,lxmlmay resolve external entities, which facilitates XML External Entity (XXE) attacks. This could allow a malicious document to read sensitive files from the local filesystem and expose them through the validator's output.
Recommendations
- AI detected serious security threats
Audit Metadata