pptx
Warn
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The scripts
ooxml/scripts/unpack.pyandooxml/scripts/validation/docx.pyusezipfile.ZipFile.extractall()on input files without validating member paths. This is a Zip Slip vulnerability that allows an attacker to write files anywhere on the filesystem reachable by the process using directory traversal (e.g.,../../.bashrc). Since this is associated with the primary purpose of the skill, the severity is considered MEDIUM in the final verdict calculation.\n- [COMMAND_EXECUTION] (MEDIUM):ooxml/scripts/pack.pyexecutes thesoffice(LibreOffice) binary viasubprocess.runto validate documents. While using a list-based command minimizes shell injection, processing untrusted documents through a complex office suite exposes the environment to LibreOffice's internal vulnerabilities.\n- [DATA_EXFILTRATION] (MEDIUM):ooxml/scripts/validation/docx.pyuseslxml.etree.parse()to process XML files. By default,lxmlcan resolve external entities, which could lead to XXE attacks (reading local files) if the processed document contains malicious XML.\n- [PROMPT_INJECTION] (LOW): This skill provides an Indirect Prompt Injection surface.\n - Ingestion points: Office documents processed via
ooxml/scripts/unpack.pyand analyzed inooxml/scripts/validation/docx.py.\n - Boundary markers: Not present.\n
- Capability inventory: File system writes (Zip Slip), subprocess execution (
soffice), and document content reading.\n - Sanitization: Partial;
defusedxmlis used in some scripts, but security flags forlxmland path validation for zip extraction are missing.
Audit Metadata