pptx-creator
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted Markdown and JSON data to generate presentation content, making it susceptible to indirect injection attacks.
- Ingestion points: Input files provided via the
--outlineand--jsonflags inscripts/create_pptx.pyandscripts/use_template.py. - Boundary markers: No boundary markers or delimiters are used to isolate untrusted data from the instructions.
- Capability inventory: Includes file system access (reading images/data, writing PPTX files), network access (via
httpx), and subprocess execution (uv run). - Sanitization: There is no evidence of sanitization or validation of the input text before it is inserted into slides or passed to downstream scripts.
- [COMMAND_EXECUTION]: The script
scripts/create_pptx.pyexecutes local subprocesses with arguments derived from user input. - Evidence: The
generate_imagefunction usessubprocess.runto call a script from another skill (nano-banana-pro). It passes apromptextracted directly from the user's markdown or JSON content. While it avoids using a shell, it presents a surface for argument injection or prompt injection targeting the image generator. - [DATA_EXFILTRATION]: The skill can be coerced into attempting to read local files via path manipulation.
- Evidence: The markdown parser in
scripts/create_pptx.pyaccepts file paths in the image syntax. If an attacker provides a path to a sensitive file (e.g.,/etc/passwd), the script will attempt to read it usingPath.exists()andPresentation.add_picture(). Althoughpython-pptxwould likely fail to process non-image files, this capability could be used for file existence checks or to trigger errors exposing system information.
Audit Metadata