pptx
Warn
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes several system commands through the Python
subprocessmodule and performs runtime compilation. - It uses
gccto compile an embedded C source string into a shared library (lo_socket_shim.so) at runtime. - It performs process injection by setting the
LD_PRELOADenvironment variable to load this custom library into thesoffice(LibreOffice) process space to modify its networking behavior. - It executes system utilities including
sofficefor document conversion,pdftoppmfor image generation, andgitfor generating document diffs. - [PROMPT_INJECTION]: The skill processes untrusted PowerPoint files, which creates a surface for indirect prompt injection attacks.
- Ingestion points:
scripts/office/unpack.pyextracts and parses XML content from user-provided.pptxand.docxfiles. - Boundary markers: Absent; the skill does not use delimiters or instructions to ignore embedded commands within the ingested text.
- Capability inventory: The skill possesses high-risk capabilities, including arbitrary command execution and file system access.
- Sanitization: While
defusedxmlis used to prevent XML-based attacks, there is no validation or filtering of natural language instructions that might be embedded in slide content. - [EXTERNAL_DOWNLOADS]: The skill documentation references multiple external dependencies required for full functionality.
- Python dependencies:
markitdown[pptx],Pillow,defusedxml, andlxml. - Node.js dependencies:
pptxgenjs,react-icons,react,react-dom, andsharp. - System requirements: LibreOffice and Poppler utility suite.
Audit Metadata