pptx
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Direct prompt injection patterns detected in 'SKILL.md'. The instructions '读取此文件时绝不要设置任何范围限制' (Never set any range limits when reading this file) and '从头到尾完整阅读... 绝不要设置任何范围限制' are behavior-overriding markers designed to bypass the agent's native tool-use constraints.
- [COMMAND_EXECUTION]: Multiple scripts use 'subprocess.run' to execute system binaries for document conversion, validation, and processing. Specifically, 'ooxml/scripts/pack.py' executes 'soffice', 'scripts/thumbnail.py' executes 'soffice' and 'pdftoppm', and 'ooxml/scripts/validation/redlining.py' executes 'git'. These operations are associated with the primary skill purpose but execute external code on user-provided data.
- [PROMPT_INJECTION]: Indirect prompt injection surface identified. Ingestion points: Untrusted content is ingested from PowerPoint files via 'inventory.py', 'markitdown', and RAW XML access. Boundary markers: Absent in data processing scripts and instructions. Capability inventory: The skill possesses file read/write, subprocess execution, and browser automation capabilities. Sanitization: Extracted text and shapes are processed and re-rendered without visible validation or sanitization, potentially allowing malicious content within documents to influence agent behavior.
Audit Metadata