pptx
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Significant Indirect Prompt Injection surface. The skill ingests untrusted Office documents via ooxml/scripts/unpack.py and ooxml/scripts/validation/docx.py while possessing the capability to execute system commands via soffice in ooxml/scripts/pack.py. Mandatory evidence: (1) Ingestion points: zipfile extraction and lxml parsing; (2) Boundary markers: None; (3) Capability inventory: subprocess.run for soffice; (4) Sanitization: Partial use of defusedxml but unhardened lxml usage.
- [COMMAND_EXECUTION] (MEDIUM): ooxml/scripts/pack.py executes the soffice binary using subprocess.run, which could be abused if processed documents trigger vulnerabilities in the external tool.
- [REMOTE_CODE_EXECUTION] (MEDIUM): ooxml/scripts/validation/docx.py uses lxml.etree.parse() without resolution restrictions, making it vulnerable to XML External Entity (XXE) attacks.
Recommendations
- AI detected serious security threats
Audit Metadata