pptx-skill
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/thumbnail.pyexecutes the system commandssoffice(LibreOffice) andpdftoppm(Poppler) viasubprocess.runto convert PowerPoint files to PDF and then into image grids for thumbnails. These calls use list-based arguments without a shell, which prevents shell injection vulnerabilities. - [COMMAND_EXECUTION]: The script
ooxml/scripts/pack.pyutilizes thesofficeutility to validate the integrity of generated Office documents through a headless conversion process. - [REMOTE_CODE_EXECUTION]: The converter logic in
scripts/html2pptx.jsemploys Playwright (headless Chromium) to render local HTML files. This execution is confined to a browser context and is used solely to calculate CSS positions and layout dimensions for PowerPoint generation. - [SAFE_PRACTICE]: The skill demonstrates security awareness by using the
defusedxmllibrary inooxml/scripts/pack.pyandooxml/scripts/unpack.pyto parse XML content, which effectively mitigates XML External Entity (XXE) vulnerabilities when handling Office document structures.
Audit Metadata