pptx
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Runtime Compilation and Injection: The file 'scripts/office/soffice.py' contains an embedded C source code shim designed to intercept and modify system calls. The script writes this source to a temporary file, compiles it into a shared library using the system's 'gcc' compiler, and then executes the 'soffice' binary with the 'LD_PRELOAD' environment variable set to inject this library into the process. This technique allows the skill to override standard operating system behavior at runtime.\n- [COMMAND_EXECUTION]: External Tooling: The skill manages and executes multiple external command-line utilities, including 'soffice' (LibreOffice), 'pdftoppm' (Poppler), and 'gcc' (GNU Compiler Collection) to perform its core tasks.\n- [PROMPT_INJECTION]: Indirect Prompt Injection Surface: The skill is designed to parse and extract text from external, untrusted PowerPoint (.pptx) files. This content is then processed by the AI agent, potentially allowing malicious instructions embedded in the presentations to manipulate agent behavior.\n
- Ingestion points: Data enters through the 'markitdown' library and the 'scripts/office/unpack.py' script.\n
- Boundary markers: Absent. The skill does not use delimiters or instructions to help the agent distinguish between data and commands within presentation content.\n
- Capability inventory: The skill has high-tier capabilities, including executing arbitrary commands via subprocess and file system modification.\n
- Sanitization: Absent. While the skill uses 'defusedxml' to protect against XML-level attacks like XXE, it does not sanitize the extracted natural language for potential prompt injections.
Recommendations
- AI detected serious security threats
Audit Metadata