pptx-processing-anthropic
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses system utilities to perform document conversion and comparison tasks:
- Executes
soffice(LibreOffice) for converting presentations to PDF and for headless validation inooxml/scripts/pack.pyandscripts/thumbnail.py. - Executes
pdftoppm(Poppler) to convert PDF pages into JPEG images inscripts/thumbnail.py. - Executes
git diffto perform character-level comparison of document revisions inooxml/scripts/validation/redlining.py. - Launches a Chromium browser instance via
playwrightto render HTML slides inscripts/html2pptx.js. - [EXTERNAL_DOWNLOADS]: The skill relies on several standard packages from official registries (PyPI and NPM), including
playwright,sharp,pptxgenjs, andmarkitdown. - [PROMPT_INJECTION]: The skill contains patterns that override default agent tool behaviors:
- Explicitly instructs the agent to ignore tool range limits (e.g., "NEVER set any range limits") when reading documentation and inventory files to ensure full content consumption.
- [PROMPT_INJECTION]: There is a potential surface for indirect prompt injection (Category 8) due to the ingestion of untrusted external content:
- Ingestion points: Text extraction from user-provided
.pptxfiles viamarkitdownandscripts/inventory.py; rendering of user-influenced HTML slides inscripts/html2pptx.js. - Boundary markers: Missing explicit delimiters or instructions to ignore embedded commands within extracted slide content.
- Capability inventory: Significant capabilities including file system write access, system command execution, and browser rendering.
- Sanitization: Lacks explicit instructions for sanitizing content extracted from slides before it is processed by the agent's reasoning engine.
Audit Metadata