pptx
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The file 'ooxml/scripts/pack.py' contains a function 'validate_document' that executes the 'soffice' (LibreOffice) command using 'subprocess.run'. This is used to convert documents to HTML as a validation step. Executing system binaries on untrusted inputs is a significant security risk.
- [REMOTE_CODE_EXECUTION] (HIGH): A maliciously crafted Office document could exploit vulnerabilities in the 'soffice' conversion process (e.g., via macros or parser vulnerabilities) to execute arbitrary code on the host system.
- [PROMPT_INJECTION] (HIGH): This skill is vulnerable to Indirect Prompt Injection (Category 8) because it ingests untrusted data from Office documents which could contain malicious instructions intended for the agent.
- Ingestion points: Files are processed in 'ooxml/scripts/unpack.py', 'ooxml/scripts/pack.py', and 'scripts/rearrange.py' via 'zipfile' and XML parsers.
- Boundary markers: No explicit boundary markers or 'ignore' instructions are used when processing the external content.
- Capability inventory: The skill can read/write files and execute system commands ('soffice' via subprocess).
- Sanitization: While 'defusedxml' is used to prevent XXE attacks, it does not protect against malicious content designed to exploit the logic of the agent or the 'soffice' binary during conversion.
- [EXTERNAL_DOWNLOADS] (LOW): The skill depends on external Python packages ('python-pptx', 'lxml', 'defusedxml', 'six') and a system-level installation of LibreOffice ('soffice').
Recommendations
- AI detected serious security threats
Audit Metadata