deck
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill generates and executes Python scripts at runtime to handle PowerPoint (.pptx) file extraction and export. This involves writing logic to a file and executing it based on user-provided inputs.
- [COMMAND_EXECUTION]: Employs browser automation (
browser-use) to execute arbitrary JavaScript (eval) on external websites to programmatically extract CSS styles and brand assets. This executes code in a context influenced by external, potentially untrusted web content. - [EXTERNAL_DOWNLOADS]: Instructs the agent to install external software dependencies (
python-pptx,Pillow) via pip during the conversion process. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from multiple external vectors including PowerPoint files and third-party websites. It lacks explicit sanitization or strict boundary markers when interpolating this data into the final presentation output.
- Ingestion points: User-provided .pptx files and external website content extracted via browser automation.
- Boundary markers: No specific delimiters or "ignore instructions" warnings are utilized during content interpolation.
- Capability inventory: File system access (
.octave-decks/), Python subprocess execution, and browser-based code execution. - Sanitization: Content is extracted and mapped directly to slide templates without validation for malicious instructions.
Audit Metadata