pptx-official
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests data from untrusted external sources.
- Ingestion points: Untrusted data enters the agent context through 'unpack.py' (XML extraction), 'inventory.py' (text extraction from slides), and 'html2pptx.js' (rendering HTML content).
- Boundary markers: There are no explicit delimiters or warnings to ignore embedded instructions in the processed text.
- Capability inventory: The skill possesses powerful capabilities including arbitrary command execution ('pack.py', 'thumbnail.py') and headless browser execution ('html2pptx.js').
- Sanitization: The skill employs 'defusedxml' to mitigate XML External Entity (XXE) attacks, but does not sanitize the text content for secondary prompt instructions.
- [COMMAND_EXECUTION]: The skill uses 'subprocess.run' to invoke system binaries such as 'soffice' (LibreOffice) and 'pdftoppm' (Poppler). While these are required for document conversion and thumbnail generation, they represent a potential execution vector if file paths or arguments are not strictly controlled.
- [EXTERNAL_DOWNLOADS]: The skill requires multiple external dependencies, including 'playwright', 'sharp', 'markitdown', and 'pptxgenjs'. These are well-known industry standard tools and do not represent a malicious finding by themselves, but they expand the attack surface of the agent environment.
- [DYNAMIC_EXECUTION]: In 'scripts/html2pptx.js', the skill launches a headless Chromium browser using 'playwright' to render local HTML files. If the HTML content contains malicious JavaScript, it could potentially be executed within the context of the browser instance, although the script targets local 'file://' paths.
Audit Metadata