pptx
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. It extracts text and XML content from external PowerPoint files using tools like markitdown and custom unpacking scripts. The instructions require the agent to read the full content of these files without providing specific boundary markers or sanitization guidelines. A malicious presentation could contain hidden instructions designed to hijack the agent's behavior.
- Ingestion points: Text extraction via markitdown and XML parsing in scripts like
scripts/inventory.pyandooxml/scripts/unpack.py. - Boundary markers: Absent. The agent is instructed to read the entire extracted content.
- Capability inventory: The agent can execute shell commands (subprocess), write files to the workspace, and run JavaScript via Playwright.
- Sanitization: Not explicitly implemented for extracted document content.
- [COMMAND_EXECUTION]: The skill relies on several system CLI tools to perform its functions, which are executed via Python's
subprocessor Node.js. While these are used for the skill's primary purpose, they represent a significant capability that could be abused if the agent is subverted by a malicious document. - Evidence:
ooxml/scripts/pack.pyandscripts/thumbnail.pyexecutesoffice(LibreOffice) for PDF and HTML conversion. - Evidence:
scripts/thumbnail.pyexecutespdftoppm(Poppler) for image generation. - Evidence:
ooxml/scripts/validation/redlining.pyexecutesgit difffor version comparison. - Evidence:
scripts/html2pptx.jsuses Playwright (chromium.launch) to render HTML, which can execute JavaScript in a local context.
Audit Metadata