pptx
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- DATA_EXFILTRATION (MEDIUM): Path Traversal (Zip Slip) vulnerability detected in ooxml/scripts/unpack.py (line 14) and ooxml/scripts/validation/docx.py (line 198). The use of zipfile.extractall() without validating the target paths of files within the archive allows a malicious Office document to write or overwrite files outside the intended output directory.\n- COMMAND_EXECUTION (MEDIUM): The skill uses subprocess.run() in ooxml/scripts/pack.py to execute the 'soffice' (LibreOffice) system binary on generated document files. This exposes the environment to potential document-parsing exploits if the agent is manipulated into creating a malicious document structure.\n- EXTERNAL_DOWNLOADS (LOW): The skill relies on an external system installation of LibreOffice ('soffice') for its validation functionality (ooxml/scripts/pack.py). While not a direct remote download, it introduces third-party binary execution on untrusted data.\n- PROMPT_INJECTION (LOW): Indirect Prompt Injection surface. The skill processes untrusted external data (OOXML files) which could contain instructions intended to influence the agent's behavior during subsequent processing steps.\n
- Ingestion points: ooxml/scripts/unpack.py and ooxml/scripts/validation/docx.py.\n
- Boundary markers: None identified in the prompt logic.\n
- Capability inventory: Extensive file system write access and execution of external binaries (soffice).\n
- Sanitization: Inconsistent; while defusedxml is used for some operations, lxml.etree is used in docx.py without explicit protection against External Entity (XXE) attacks.
Audit Metadata