pptx
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill documentation in
SKILL.mdincludes explicit directives such as 'NEVER set any range limits' when reading reference files. These instructions attempt to override default agent tool behavior and constraints. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). Ingestion points: Text is extracted from external
.pptxfiles viamarkitdownandscripts/inventory.py. Boundary markers: None present. Capability inventory: Subprocess calls inpack.pyandthumbnail.py, and browser automation inhtml2pptx.js. Sanitization: None. Content extracted from presentations is interpreted by the agent without isolation, allowing malicious instructions within a slide to potentially hijack agent intent. - [COMMAND_EXECUTION]: Several utility scripts (
ooxml/scripts/pack.py,scripts/thumbnail.py,ooxml/scripts/validation/redlining.py) invoke system binaries including LibreOffice (soffice), Poppler (pdftoppm), andgitthroughsubprocess.run. Although these are used for the skill's primary purpose, they involve running external executables on user-supplied files. - [COMMAND_EXECUTION]: The
scripts/html2pptx.jscomponent uses Playwright to manage a headless Chromium instance. It navigates to local files and executes JavaScript in the browser environment to calculate slide layouts, which presents an execution surface if the agent renders untrusted content.
Audit Metadata