pptx
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): Path Traversal (Zip Slip) in ooxml/scripts/unpack.py. The script uses zipfile.ZipFile.extractall() on untrusted Office files without validating member paths, allowing an attacker to overwrite arbitrary files on the host system using directory traversal sequences (e.g., ../).\n- DATA_EXFILTRATION (MEDIUM): XML External Entity (XXE) Vulnerability. The script ooxml/scripts/validation/docx.py uses lxml.etree.parse() without disabling external entity resolution. This can be exploited to read sensitive local files or perform server-side request forgery (SSRF) via a maliciously crafted Office document.\n- COMMAND_EXECUTION (MEDIUM): Unsafe Subprocess Call in ooxml/scripts/pack.py. The script executes the soffice command via subprocess.run to validate documents. Processing untrusted, complex file formats with a large external office suite increases the attack surface for potential exploitation.\n- PROMPT_INJECTION (LOW): Indirect Prompt Injection Surface. The skill ingests untrusted OOXML data and possesses capabilities that include file system access and subprocess execution. Evidence Chain: 1. Ingestion point: unpack.py; 2. Boundary markers: Absent; 3. Capability inventory: subprocess.run, zip extraction, file writes, and XML parsing; 4. Sanitization: Partially implemented with defusedxml, but absent for lxml.etree parsing.
Recommendations
- AI detected serious security threats
Audit Metadata