pptx
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Deceptive Metadata and Impersonation\n
- The skill's license file (LICENSE.txt) claims copyright by 'Anthropic, PBC', which directly contradicts the provided author metadata 'thomasrohde'. This impersonation of a trusted organization is a high-risk indicator used to mislead users regarding the skill's safety and origin.\n- [COMMAND_EXECUTION]: Arbitrary File Write (Zip Slip)\n
- The script ooxml/scripts/unpack.py uses zipfile.ZipFile.extractall() without validating whether the archive's member paths are restricted to the target directory. This allows a malicious PowerPoint file to overwrite sensitive files on the host system (e.g., ~/.bashrc) using relative path traversal.\n- [COMMAND_EXECUTION]: Dynamic Execution Surface\n
- The scripts/html2pptx.js utility uses Playwright to launch a browser and execute page.evaluate(). This creates a path for indirect prompt injection where malicious instructions embedded in HTML slides could execute JavaScript in the browser context or trick the agent into accessing sensitive local files via file:// protocols.\n- [COMMAND_EXECUTION]: Unsafe Subprocess Execution\n
- Scripts such as scripts/thumbnail.py and ooxml/scripts/pack.py invoke soffice (LibreOffice) and pdftoppm via subprocess.run. These complex binaries are susceptible to vulnerabilities when parsing malformed documents, which could be exploited by a malicious PPTX file.\n- [PROMPT_INJECTION]: Workflow instruction override\n
- Instructions within SKILL.md and html2pptx.md use high-priority markers ('MANDATORY', 'CRITICAL', 'NEVER set any range limits') to override the agent's default behavior. These patterns are used to force the agent to process potentially malicious content without standard safety constraints.
Recommendations
- AI detected serious security threats
Audit Metadata