baoyu-slide-deck
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection. It ingests untrusted content from external files (e.g.,
content.md) and uses this data to "Generate Prompts" (Step 4) and determine the workflow logic. - Ingestion points:
path/to/content.md,source-data.xlsx, and user-pasted text. - Boundary markers: Absent. The skill does not define delimiters to separate untrusted content from its internal instructions.
- Capability inventory: The skill can execute shell commands (
npx,bun), write files to the disk, and generate prompts for other AI components. - Sanitization: Absent. There is no evidence of escaping or filtering logic for the ingested content.
- [COMMAND_EXECUTION] (MEDIUM): The skill executes local TypeScript scripts (
merge-to-pptx.tsandmerge-to-pdf.ts) usingnpx -y bun. This allows for arbitrary code execution within the environment context of the skill. While these scripts are part of the distribution, the pattern of executing scripts via a package runner on untrusted inputs is a significant risk factor. - [DYNAMIC_EXECUTION] (MEDIUM): The "Extension Support" feature allows the skill to load
EXTEND.mdfiles from the current project directory or the user's home directory to override default behaviors. An attacker who can place a file in these locations can modify the skill's logic or execution flow at runtime.
Recommendations
- AI detected serious security threats
Audit Metadata