pptx
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: Several scripts in the skill (pack.py, thumbnail.py, redlining.py) use the subprocess module to call system utilities like LibreOffice (soffice), Poppler (pdftoppm), and Git. These tools are used for document conversion, image generation, and version comparison. The commands are constructed as lists and executed without a shell environment, which mitigates standard injection vulnerabilities.
- [PROMPT_INJECTION]: The skill possesses a surface for Indirect Prompt Injection. Untrusted data enters the agent context through PowerPoint XML files parsed by inventory.py and HTML slide templates processed by html2pptx.js. Boundary markers are absent in the scripts to distinguish between data and instructions. The skill has capabilities including subprocess calls, file system writes, and network access via a headless browser. While it utilizes the defusedxml library for XML parsing, it lacks specific sanitization for natural language instructions that could be embedded in slide content to manipulate agent behavior.
- [EXTERNAL_DOWNLOADS]: The skill's documentation lists standard dependencies including markitdown, pptxgenjs, playwright, and sharp. These are well-known, legitimate libraries from established sources and organizations. No patterns of downloading or executing unverifiable remote scripts from untrusted domains were detected.
- [SAFE]: The skill follows security best practices by utilizing defusedxml for primary XML processing to prevent XXE attacks. It avoids common malicious patterns such as hardcoded credentials or code obfuscation. The use of system-level utilities and a headless browser environment is restricted to the skill's primary purpose of presentation management.
Audit Metadata